XECUTIVES 


THERESOU 


LET’S  MAKE 
A  DEAL 

How  to  write  a 
guard  iSej^jcIS^ 
.contract  page  44 


jss?/ 

#9 

AS 

afcay/" 

9w 

|\n^ 

/ 

ipSPHIf? 3f£ 


tiftm'iim 


•mm' 


MHttl 


muni 


umtnunn, 

mtitnitntk 

fl»  4  '»«♦«?» 
;**»**•*» 


IMiMMiltltl 

iiftiimwii 


(IHtlllttll 


ttuunuut*^ 


IBM,  the  IBM  logo,  System  z  and  Tivoli  are  registered  trademarks  of  International  Business  Machines 
Corporation  in  the  United  States  and/or  other  countries.  ©2007  IBM  Corporation.  All  rights  reserved. 


pipnmfg 

mtmoMiH 

im.mM.m! 

•uittimini 

HiiHimwi, 

iiiimiiitiii 

i 

IttmitiltlH 

kltllMHMItljj 

IllllllUIttH 


irer.»or.«»r 


inututtu 

iimimm 


iMMtllttir 


mumm. 


.INFRASTRUCTURE  LOG 

_DAY  25:  Our  ad  hoc  security  solutions  are  out  of  control. 
We’re  not  prepared  for  new  threats.  We’re  always  playing 
catch-up.  We’re  leaving  ourselves  vulnerable  and  exposed. 

.Gil’s  had  a  security  epiphany:  high-powered  lasers. 
They’re  everywhere.  I  keep  zapping  myself  as  I  type. 

.DAY  26:  I’m  taking  back  control  with  an  end-to-end  security 
solution  from  IBM.  Their  security  service  experts  can 
come  in  and  help  us  assess  our  security  needs.  IBM  Tivoli® 
helps  us  monitor  and  respond  to  threats  while  managing 
access  to  our  critical  information.  And  the  IBM  System  z™ 
mainframe’s  encryption  and  multilevel  security  features 
are  legendary. 

.That’s  great.  But  it  won’t  bring  back  my  left  sideburn. 


IBM.COM/TAKEBACKCONTROL/SECURITY 


“There’s  just  a  gold  mine 
of  security  information” 
in  Internet  traffic.  mm 

-AT&T  CISO  ED  AMOROSO,  PAGE  26 


COLUMNS 

20  Blame  the  United  States 

WORLD  VIEW  When  Europeans  don’t  like  a 
security  measure,  they  think  they  know  where 
to  point  their  finger.  By  Paul  Raines 

22  Watching  the  Wires 

MACHINE  SHOP  Harvard’s  network 
surveillance  center  puts  Q.1  Labs’  QRadar  tool 
to  the  test.  By  Simson  Garjinkel 

44  Finding  Your  Inner  Lawyer 

CSO  UNDERCOVER  Howto  avoid  common 
pitfalls  when  negotiating  a  security  guard 
contract. 


.W&f- 


26  cover  story  Pipe  Cleaners 

NETWORK  SECURITY  The  vast  majority  of  Internet  traffic  is  useless 
or  worse,  from  spam  to  denial-of-service  attacks  to  bot-related 
activity.  AT&T  wants  to  clean  things  up— and  earn  a  tidy  profit  in  the 
meantime.  By  Sarah  D.  Scalet 

34  How  to  Stay  Cool  on  the  Hot  Seat 

CRISIS  MANAGEMENT  In  the  event  of  a  crisis  or  a  security  breach,  the 
media  will  come  calling.  Here’s  your  playbook  for  making  them  allies, 
not  antagonists.  By  Boh  Violino 

38  Pocket  Protection 

ELECTRONIC  CRIME  The  facts,  the  scams,  are  real.  The  CIO?  Not 
so  much.  But  here’s  how  organized  crime  uses  technology  to  make 
money.  As  en  visioned  by  Scott  Berinato 


DEPARTMENTS 

13  Briefing 

Real  ID:  Real  bad  idea?;  The  booming 
hacking  business;  Calculating  the  cost  of  a 
breach;  How  to  survive  a  violent  situation; 
Thorny— and  fragrant— security  solutions; 
Retailers  gang  up  to  stop  theft;  Why  personal 
technology  is  best  left  at  home 

48  Debriefing 

Pranking  the  Super  Bowl 


IN  EVERY  ISSUE 

4  CSOonline.com 
6  From  the  Editor 
8  From  the  Publisher 
10  Letters 
46  Index 


www.csoonline.com  July/August  2007 


COVER  ILLUSTRATION  BY  JOHN  MucDONALD 


ugust  2007 

Vol.  6,  No.  7 


MONITORING  I  ACCESS  CONTROL  . I  VIDEO  SURVEILLANCE  I  RFID  I  INTRUSION  DETECTION  I  EAS  I  FIRE  &  LIFE  SAFETY 


COMMERCIAL  SOLUTION 

: .  'M 


When  physical  security  and 
IT  work  together,  everybody  wins. 

You  can  leverage  your  respective  strengths  to  deliver  new  levels  of  performance,  gain  greater  returns  on  your 
security  investment  and  reduce  your  total  cost  of  ownership.  And  few  companies  are  more  experienced 
at  bringing  people  together  to  address  security  issues  than  ADT.  In  fact,  we've  been  helping  customers 
use  innovative  solutions  to  address  new  challenges  for  more  than  130  years.  Let  us  help  you  do  the  same. 
After  all,  the  best  way  to  face  new  challenges  is  with  New  Thinking. 

For  more  information  on  our  convergence  capabilities  or  to  learn  about  Secure  World  Expos,  call  1-888-228-027 4 
or  go  to  ADT.com/convergence. 


,ooiai03U'..  '  ioi  -uooioioiiiooiooioiooioiooioioiooa: 

.  iooioioiniooiooioiiooioiooioioioiaiooioioioiooioio 
1001000101010100010010101001001001001010101010101010101 

.10100010011100100010010 1 

,0101 :  maioioioiioaioioioioiooioiioioiooiooioioooiooiooiin  ;■ 

.oioiooioioioiirii  o  ioiaioioioiDiDiooioioioooioioiiiooioaiaoio 


ADT  Always  There 9 


ADT  state  license  numbers  are  available  for  review  on  www.adt.com  or  by  contacting  1-800-ADT-ASAR®  Copyright  ©2007  ADT  Security  Services,  Inc.  All  Rights  Reserved.  ADT,  the  ADT  logo,  ADT  Always  There  and  1-800-ADT-ASAP  are  registered  trademarks  of  ADT 

Services,  AG,  and  are  used  under  license. 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Derek  Slater 
Executive  Editor  Scott  Berinato 
Senior  Editor  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Assistant  Managing  Editor 
Emily  S.  Henderson 
Senior  Copy  Editor 
Cathy  Mallen 
Copy  Editor 
Susan  Bryant-Still 
Associate  Staff  Writers 
Christopher  Lynch,  Katherine  Walsh 
Editorial  Assistant 
Kristin  Burnham 
Editorial  Administrator 
Jill  Paquette 
Contributors 

Kathleen  S.  Carr,  Daintry  Duffy, 
Grant  Gross,  Robert  McMillan, 
Paul  Raines,  BobViolino 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager 
Carolyn  Johnson 
Senior  Research  Analyst 
Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 
Christopher  Lindquist 
Online  Managing  Editor 
Michael  Goldberg 
Senior  Online  Editors 
Sandy  Kendall,  Meridith  Levinson, 
Shawna  McAlearney, 

Esther  Schindler 
Associate  Online  Editor 
Diann  Daniel 
Online  Writer  Al  Sacco 
Online  Copy  Editor 
David  Gradijan 

INFORMATION  SYSTEMS 

IDG  Director  of  Information 
Services  Nancy  Newkirk 
IT  Manager 
Sean  McCracken 
Senior  User  Support  Specialists 
Christopher  A.  Kay, 

Thomas  Lupien 
User  Services  Specialist 
Gloria  Lam 

Associate  User  Support  Specialist 
James  Brevard 
Senior  Web  Developer 

David  Cohen 

Web  Developer  Sanghee  Seo 

CXO  MEDIA  /  IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

CXO  MEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Board  Chairman 
Patrick  J.  McGovern 
President,  IDG  Communications 
Bob  Cardigan 


&BRA 


WORLDWIDE 


www.csoonline.com 


July/August  2007 


PHOTO  TOP  BY  ERIK  DREYER/GETTY  IMAGES;  BOTTOM  BY  WEBB  CHAPPELL 


The  CSO  Quiz  Book 

Find  a  collection  of  the  best  quizzes  and  interactive  tools  on 
CSOonline.com. 

www2. csoonline.com/exclusives/column. html?CID=32915 


Systematic  Destruction  of  an 
Infosec  Program 

Chad  McDonald  offers  “a  how-to  guide  for  bad  CIOs.”  Anything  on  his 
checklist  sound  familiar?  We  hope  not.... 

blogs.csoonline.com/node/332 


Backups:  The  Weakest  Link 

Companies  are  spending  millions  to  lock  down  networks  and  applications. 
But  what  about  the  backups? 

blogs.csoonline.com/node/342 


Basic  Guide  to  Days  of  Risk 

Microsoft’s  Jeff  Jones  breaks  down  the  days-of-risk  concept. 

blogs.csoonline.com/node/321 


“What  good  is  good  security  if 
you  can’t  explain  it  to  your 
customers?” 


-CSO  SENIOR  EDITOR  SARAH  D.  SCALET,  IN  “WHAT 
BANKS  TELL  CUSTOMERS  ABOUT  THEIR  ONLINE 
SECURITY”  WWW.CSOONLINE.COM/ALARMED 


'»  "*■  ••  •  >  •  . 


in*' 


J393 


-9333 

11V. 


Ill 
111 
lit 
1 1 1 


m 


4444 

4  44  4 
444  J 
4  4/M 


our  definition  of  convergence.  It's  when  all  your  disparate 
physical  security  systems  work  together  as  one  across  multiple 
platforms  and  locations.  Your  common  business  processes 
between  physical  security  and  IT  are  managed  as  one.  Driven  by 
business  policies  that  you  write,  with  full  transparency  and  control 

from  a  single  web-based  dashboard.  Quantum  Secure  brings  it  all  \ 

S' ,  jjr  r 

together  so  you  can  think  more  strategically  with  our  off-the-shelf  :  M 

solution,  SAFE. 

■  Creation  of  ONE  identity  across  disparate  access 

systems 

■  Policy-based  and  automated  new  hire,  termination  and  M 

change  management  for  physical  access 

1  '  '•  if  v/ .-5 

■  Sustainable  operations  to  comply  with  internal  and  rpr' - - - 

government  regulations  {  )U  ANTUM  SMtllt 

And  its  all  exclusively  from  Quantum  Secure.  L_~ _ 

the  power  to  converge 

\M  wt 

-.#5; 

1.408.687.4587  •  quantumsecure.com  •  info@quantumsecure.com  ;.Ti 


Dealing  With  Us 

On  Page  34  you’ll  find  Bob  Violinos  article  on  howto 
deal  with  the  media  during  a  crisis.  In  this  article,  we  (the 
media)  advise  you  to  treat  us  as  trustworthy  friends. 


Blatantly  self-serving  of  us,  wouldn’t  you  say?  I  would. 

Well,  there’s  a  reason  for  the  story  aside  from  the  desire  to  make  our 
reporting  jobs  easier. 

CSO’s  editorial  staff  observed  the  tabletop  exercise  at  our  Perspectives 
conference  this  past  spring.  The  scenario  involved  a  physical  intrusion  that 
might  (or  might  not)  have  compromised  the  victim  company’s  core  intel¬ 
lectual  property.  The  roles  of  both  victim  and  media  were  played  by  security 
professionals  like  yourself.  The  relationship  between  the  two  groups  started 
poorly  and  got  worse.  “Everything  we  saw  from  the  company  looked  like  a 
cover-up,  whether  there  was  one  or  not,”  was  the  comment  of  one  attendee 
playing  the  role  of  a  media  reporter.  His  natural  response  was  to  dig  harder 
and  to  try  to  go  around  the  company’s  PR  function. 

Antagonism  between  media  and  security  is  no  surprise.  When  we 
launched  CSO,  one  observer  of  the  publishing  industry  questioned  our 
chances:  “Will  they  be  able  to  get  tight-lipped  security  pros  to  give  up  the 
details  of  security  breaches?”  To  us,  that  kind  of  “gotcha”  story  has  never 


been  the  main  goal,  because  as  we  planned  our 
launch,  CSOs  told  us  they  could  already  find  breach 
stories  all  over  the  place.  “If  it  bleeds,  it  leads”  is  an 
old  adage  in  the  newspaper  business— the  more  vio¬ 
lent  or  sensational  the  cover,  the  more  copies  would 
fly  off  the  newsstand.  That  philosophy  explains  why 
lost  laptops  show  up  on  page  one  in  the  national 
media,  and  security  success  stories  show  up— well— 
they  rarely  show  up  anywhere.  What  CSOs  want 
instead  of  breaches  (you  tell  us)  is  best  practices. 
What  works,  not  what  failed.  And  that’s  where  we 
focus  the  bulk  of  our  attention.  ChoicePoint  is  really 
the  only  company  I  can  think  of  that  we’ve  taken 
to  the  woodshed  (though  our  publisher  has  beaten 
up  TJX  a  few  times),  and  that  was  in  response  to 
an  extraordinary  confluence  of  failed  oversight  and 
subsequent  excuse-making  by  that  company. 

Still,  there’s  no  question  that  intrusions  and 
disasters  do  occur.  So  there’s  a  time  and  place  to  dig 
into  the  details  of  those  breakdowns.  And  there  is  a 
time  to  talk  about  what  to  do  during  a  crisis  so  that 
the  otherwise  bloodthirsty  mainstream  media  reacts 
to  your  pain  in  as  constructive  a  manner  as  possible. 

I  think  you’ll  find  Violino’s  article  most  useful  in  that 
regard. 

-Derek  Slater 
dslater@  cxo.  com 


6 


www.csoonhne.com 


July/August  2007 


PHOTO  BY  WEBB  CHAPPELL 


MULTIPLY  ENERGY  EFFICIENCY 
AND  MAXIMIZE  COOLING. 


- - 


THE  WORLD’S  FIRST  QUAD-CORE  PROCESSOR  FOR  MAINSTREAM  SERVERS. 

The  new  Quad-Core  Intel®  Xeon®  Processor  5300  series  delivers  up  to  150%  more  performance  than  the 
competition*  Based  on  the  ultra-efficient  Intel®  Core™  microarchitecture  it's  the  ultimate  solution  for  managing 
runaway  cooling  expenses.  Learn  why  great  business  computing  starts  with  Intel  inside.  Visit  intel.com/xeon 


‘Performance  measured  using  SPECint*_rate_base2000  comparing  a  Quad-Core  Intel*  Xeon'  processor  X5355-based  platform  to  a  Dual-Core  AMD  Opteron*  processor 
Model  2220SE-based  platform.  Visit  intel.com/performance  ©2007  Intel  Corporation.  Intel,  the  Intel  logo,  Intel.  Leap  ahead.,  Intel.  Leap  ahead.  Logo,  Intel  Xeon  and  Xeon 
Inside  are  trademarks  of  Intel  Corporation  in  the  United  States  and  other  countries. 


The  Compliance  Cop-Out 


At  what  point  do  you  just  give  in?  Or  have  security 
executives  already  done  so?  I’m  not  talking  about  how 
tough  the  threats  are  or  how  difficult  the  challenge  is 


in  managing  complex  security  environments.  I’m  talking  about  how  security 
spending  gets  justified. 

Over  the  past  few  months  I  have  seen  a  number  of  market  studies  come 
across  my  desk  that  all  reaffirm  something  we  have  been  seeing  for  several 
years.  Namely,  that  the  top  driver  used  by  security  executives  to  justify 
security  investment  is  regulatory  compliance.  With  the  growing  burden  of 
regulation,  this  shouldn’t  come  as  any  surprise  to  CSO’s  readers.  But  it  also 
shouldn’t  be  surprising  when  I  point  out  that  this  is  far  from  the  best  way 
to  justify  investment,  and  that’s  where  I  feel  compelled  to  take  some  of  our 
readers  to  task. 

The  best  way  to  justify  investment  is  by  undertaking  a  comprehensive 
risk  assessment  in  your  organization  and  then  designing  an  appropriate 
program  to  mitigate  risk  based  upon  that  assessment.  This  ensures  that 
an  appropriate  level  of  investment  is  being  allocated  toward  risk  mitiga¬ 
tion  based  on  the  needs  and  constraints  of  the  business.  What  is  happen¬ 
ing— overwhelmingly,  I  might  add— is  that  CSOs  are  running  off  to  the  CFO 
and  the  board  with  investment  requirements  designed  to  meet  the  compli¬ 
ance  standards  of  SOX,  or  PCI,  or  GLB,  and  so  on.  The  problem  here  is  that 
regulations  are  based  on  a  standardized  requirement  of  security  across  one 
industry,  or  many.  What  one  company  may  do  to  be  compliant  with  SOX 
may  be  entirely  off  base  with  what  is  truly  needed  in  the  organization  to 
mitigate  the  specific  risks  this  specific  organization  faces. 


Don’t  get  me  wrong,  I  have  been  hearing  loud  and 
clear  how  difficult  it  can  be  to  justify  investment.  In 
fact,  in  many  of  the  same  studies  I  referred  to  earlier, 
we’re  finding  that  the  number-one  method  used  by 
CSOs  to  determine  if  their  organization’s  security 
initiatives  are  effective  is  professional  judgment.  Not 
metrics.  Not  third-party  evaluations.  Not  ROI.  Your 
own  professional  judgment.  And  while  I  agree  that 
there  is  no  substitute  for  experience,  I  fear  that  those 
who  justify  their  investments  by  relying  on  regula¬ 
tory  compliance  and  then  measure  effectiveness  via 
their  own  professional  judgment  are  setting  them¬ 
selves  up  for  a  fall. 

Remember  the  days  when  security  was  sold  by 
using  fear,  uncertainty  and  doubt  (FUD)?  It  was  very 
effective  at  the  time,  but  as  bad  things  didn’t  happen 
it  raised  the  question,  “Did  nothing  bad  happen 
because  we  had  great  security  or  because  nothing 
bad  was  going  to  happen  in  the  first  place?”  Many 
CSOs  lost  a  lot  of  credibility  in  that  exercise.  When 
you  justify  investment  based  on  compliance  and  then 
measure  effectiveness  with  professional  judgment, 
what  happens  to  your  credibility  if  something  goes 
wrong? 

Remember  that  professional  judgment  translates 
quickly  into  credibility.  You  are  the  experts  at  what 
you  do.  Just  make  sure  that  you  your  actions  are 
backed  up  with  concrete  reasons. 

-Bob  Bragdon 
bbragdon@  cxo.com 


8  www.csoonline.com  July/August  2007 


PHOTO  BY  CHRISTOPHER  NAVIN 


mmm 


iMfltlpp! 


mm 

§‘M,t 


Continuity 

Agenda 


Resources  to  Shape 
Your  Business 
Continuity  Strategy 


k 


.  jdBe&a  - 

•.  .  .meL 

m  nrit  i  fi 

i  i  iTwl 

Jfrf 

1*1*1 

wK&yjju,  -*&] 

Si  pi 

a 

ii  1 

MR;  +■  *t  ,  > 

rs’i?-'  :vhe 

2m  •-  <r>u 

Advertising  Supplement 


The  Business  Continuity 
Agenda:  2007 


In  conjunction  with  the  inaugural  Business  Continuity  Forum,  we’ve  conducted  new  market  research 
on  the  topic,  and  the  results  are  a  mixed  bag. 

On  one  hand,  we’ve  never  been  better  prepared.  We  have  better  systems  than  ever,  and  our  processes 
and  people  are  eminently  prepared  to  mobilize  in  the  event  of  natural,  man-made  or  pandemic  disasters. 

On  the  other  hand,  the  stakes  have  never  been  higher.  Never  has  so  much  business  been  dependent 
on  so  many  disparate  technologies,  any  one  of  which  holds  the  potential  to  cripple  a  business  if— when— 
disaster  strikes. 

And  with  so  much  at  stake,  never  has  there  been  greater  pressure  to  support  more  stringent  recovery 
time  objectives  (RTO)  and  recovery  point  objectives  (RPO)— yet  with  little  if  any  additional  investment  in 
business  continuity  personnel  or  resources. 

The  survey  numbers  are  striking.  Asked  if  they’d  recently  encountered  at  least  one  disruptive  event  to 
their  business  systems— power  failures,  network  outages— 92  percent  of  respondents  said  yes.  Yet,  when 
asked  to  self-assess  their  organizational  readiness  for  general  disasters,  these  same  business  leaders  gave 
themselves  at  best  a  C+/B-. 

The  overwhelming  message  is  that  while  the  demand  for  robust  business  continuity  has  never  been 
greater,  funds  are  still  scarce— and  so  are  staffing,  sponsorship  and  proper  testing.  Read  on  to  learn  more 
about  the  survey  results.  On  the  following  pages,  writer  Sam  Greengard  examines  the  numbers  and  explores 
their  ramifications. 

In  addition,  SunGard  Availability  Services,  our  survey’s  exclusive  sponsor,  offers  a  case  study  of  one  of 
its  customers,  Hx  Technologies,  and  we’ve  compiled  some  resources  for  you  to  learn  even  more  about  busi¬ 
ness  continuity. 

It’s  a  hot  topic  already,  and  it’s  only  going  to  get  hotter.  The  trick  is  not  to  get  burned  by  business 
continuity  issues.  We’re  here  to  help. 


Best  regards, 


Gary  Beach,  Publisher,  CIO 


Bob  Bragdon,  Publisher,  CSO 


RESOURCES 


For  more  information  about  business  continuity  issues: 

The  Business  Continuity  Planning  Association  (BCPA):  www.bcpa.org 
Business  Continuity  Planning  Guide:  www.yourwindow.to/business-continuity/ 

Limiting  IT  Downtime  Window  Major  Concern  (SunGard):  www.availability.sungard.com/limiting_IT_downtime 
Key  Considerations  for  Disaster  Recovery  Planning  (SunGard):  www.availability.sungard.com/DR_planning 


2 


Business  Continuity 


Advertising  Supplement 


The  data  residing  in  servers 
and  computers  systems  has  emerged 
as  the  currency  for  the  21st  century 
economy.  When  the  flow  of  data 
is  interrupted,  a  business  or  other 
institution  may  find  itself  staring 
down  the  barrel  of  lost  sales  and 
diminished  productivity.  It  may 
also  face  regulatory  and  compliance 
problems— as  well  as  a  loss  of  trust 
on  the  part  of  customers,  business 
partners  and  employees.  In  some 
cases,  public  health  and  welfare 
hang  in  the  balance. 

Business  continuity  is  a  grow¬ 
ing  concern  for  CIOs  and  other 
business  leaders.  While  there’s  a 
greater  awareness  that  compa¬ 
nies  must  keep  systems  running 
and  meet  recovery  time  objectives 
(RTO),  translating  concerns  into  an 
actionable  strategy  can  prove  daunt¬ 


ing,  especially  in  an  era  of  tight  bud¬ 
gets,  limited  management  sponsor¬ 
ship  and  complex  technical  issues. 
More  than  a  few  organizations  have 
discovered  that  business  continuity 
isn’t  an  option,  it’s  a  necessity. 

“It  is  essential  to  have  a  recov¬ 
ery  plan  in  place  and  understand 
what  recovery  time  objectives  and 
recovery  point  objectives  (RPO)  are 
required  for  various  applications 
and  services,”  says  Donna  Scott,  vice 
president  and  distinguished  analyst 
at  Gartner,  Inc.  During  the  1990s, 
a  three-day  recovery  window  was 
typical.  By  2001,  one  day  was  com¬ 
mon.  Today,  due  to  customer  and 
end  user  demands,  “We’re  seeing  a 
greater  need  to  [establish]  recovery 
periods  that  range  from  immediate 
to  four  hours.  This  puts  incredible 
pressure  on  an  organization— and 


creates  additional  challenges,”  Scott 
points  out. 

It’s  a  concern  shared  by  a 
growing  number  of  business  and  IT 
leaders.  IDG  Research  and  SunGard 
recently  surveyed  215  executives 
who  manage  business  continu¬ 
ity  and  found  that  there’s  more  to 
the  subject  than  meets  the  eye  and 
pocketbook.  Budgeting,  develop¬ 
ment,  testing,  communication  and 
updating  plans  and  systems  are  all 
key  components  that  respondents 
cited.  And  while  organizations 
approach  business  continuity  in 
markedly  different  ways— many 
believe  that  their  processes  and  per¬ 
formance  do  not  measure  up.  Less 
than  one  in  ten  are  confident 
of  their  ability  to  deal  with  a  poten¬ 
tial  disruption. 

Too  often,  organizations  use 


Business  Continuity  3 


Business  Continuity:  How  to  Raise  the  Bar  2007 

Making 

the 

Grade 


Capabilities  are  greater 
than  ever— but  so  are 
the  business  demands, 
according  to  new  research. 


Nearly  two-thirds  of  companies  have  experienced  a  significant 
power  failure  or  network  outage  that  had  a  direct  impact 
on  business. 

Significant  power  failure 
Network  outage 
Hardware 

Significant  critical  system  downtime 
Application  or  operations  error 
Hurricane 
Flood 
Terrorist  event 
Tornado 

Explosion  or  other  significant  facility  issue 
Denial  of  service  attack 
Supply  chain  disruption 
Earthquake 

Unable  to  enter  the  facility  for  some  reason 

Other 

None  of  the  above 

Source:  IDG  Research  2007 


the  previous  disaster  or  disrup¬ 
tion  to  plan  for  the  next  one.  They 
fail  to  analyze  the  probability  of 
various  scenarios  and  do  not  take 
into  account  real-world  risks.  “In 
many  instances,  the  full  value  of 
protecting  the  business  isn’t  fully 
understood  until  a  disaster  occurs,” 
says  Patrick  Doherty,  Executive  Vice 
President  of  Marketing  at  SunGard 
Availability  Services.  “Business  and 
IT  executives  must  be  on  the  same 
page  when  it  comes  to  developing 
systems  and  processes  that  support 
business  continuity.” 

Avoiding  Downtime 

An  overwhelming  92  percent 
of  respondents  indicated  that  they 
have  encountered  at  least  one 
disruptive  event  to  their  business 
systems.  Yet,  while  high-profile 
disasters  such  as  earthquakes  and 
hurricanes  garner  attention,  they 
also  distract  business  and  IT  lead¬ 
ers  from  the  most  common  prob¬ 
lems:  65  percent  of  respondents 
reported  disruptions  due  to  power 


failures,  65  percent  listed  network 
outages  and  55  percent  mentioned 
hardware  failures. 

Increasingly,  business  continu¬ 
ity  centers  on  “information  avail¬ 
ability”  and  operating  an  “always 
on”  network.  This  shift  in  thinking 
away  from  cataclysmic  events  and 
toward  more  mundane  but  com¬ 
mon  threats  such  as  power  failures 
and  network  outages  began  to  take 
hold  about  five  years  ago.  There’s  a 
growing  realization  that  focusing 
on  natural  disasters  and  terrorism 
diverts  attention  from  the  realities 


of  today’s  business  environment 
and  the  deteriorating  state  of  the 
typical  IT  infrastructure. 

Remarkably,  a  typical  large 
enterprise  data  center  is  approxi¬ 
mately  17  years  old.  In  fact,  many 


organizations  rely  on  legacy  systems 
that  can’t  keep  up  with  today’s 
business  and  computing  demands. 
While  survey  respondents  gave 
their  organizations  an  average 
grade  of  C-  for  pandemic  pre¬ 
paredness  and  a  C+/B-  for  overall 
business  continuity  preparedness, 
Doherty  believes  that  today’s  high 
availability  business  environment 
creates  a  de  facto  pass-fail  system. 
“A  company  that  rates  itself  B  or  be¬ 
low  may  not  be  equipped  to  recover 
from  an  event  in  the  time  required,” 
he  warns. 

Moreover,  flat  to  declining 
budgets  for  business  continuity 
mean  that  many  organizations  have 
few  ways  to  escape  their  problems. 
Nearly  one  quarter  of  respondents 
said  that  funding  was  a  problem. 

Another  nettle  some  area 
is  keeping  business  continuity 
systems  current  and  testing  them 
on  a  regular  basis.  With  acceptable 
downtime  windows  shrinking,  it’s 
no  longer  adequate  to  rely  solely  on 
tape  backup  systems  or  optical  stor¬ 
age  devices.  Today,  most  companies 
require  advanced  recovery  solutions 
that  encompass  data  replication, 
mirroring,  clustering  and  tiered 


storage.  “It’s  really  a  matter  of 
understanding  which  systems  and 
applications  are  most  critical  and 
then  aligning  the  solution  to  meet 
the  recovery  time  objective  for  each 
of  those  individual  systems  and  ap- 


Organizations  approach  business  continuity  in 
markedly  different  ways  —  and  many  believe  that  their 
processes  and  performance  are  less  than  ideal. 


4 


Business  Continuity 


plications,”  Doherty  explains. 

Edward  Waters  College,  a 
private  institution  in  Jacksonville, 
Florida,  is  among  the  organizations 


that  emphasize  planning.  CIO  Ber¬ 
nard  Chappie  says  that  the  school 
is  constantly  working  to  “upgrade 
equipment  and  raise  awareness.”  A 
plan,  he  says,  can  be  specific,  “but 
you  will  never  have  something  that 
addresses  each  and  every  scenario. 
However,  you  can  use  that  as  a  mod¬ 
el  or  a  paradigm— and  if  an  event 
comes  up  that  is  unique  or  does  not 
[fit]  the  program,  you  can  always 
modify  it  or  make  adjustments.” 

Beyond  Backups 

Effective  business  continuity  is 
far  more  than  the  sum  of  effective 
backups  and  data  replication. 

Key  components  include: 

A  sound  plan  and  well-defined 
policies.  Effective  business  continu¬ 
ity  requires  different  departments 
and  constituencies  to  understand 
the  value  of  data  and  how  it  fits  into 
the  company’s  portfolio  of  products 
and  services.  Although  IT  execu¬ 


tives  play  a  key  role  in  defining  stra¬ 
tegic  needs,  other  departments— in¬ 
cluding  finance,  human  resources, 
operations  and  legal— must  help 


define  and  formulate  policies 
and  procedures.  Various  depart¬ 
ments  must  provide  input  when  an 
organization  formulates  business 
continuity  strategies.  Otherwise,  the 
organization  may  wind  up  pursuing 
a  tactical  approach  that  misses  the 
mark. 

Effective  communication. 

It’s  essential  to  ensure  that  vari¬ 
ous  constituents  understand  how 


a  business  continuity  plan  works, 
including  phone  or  e-mail  trees  and 
emergency  policies.  More  advanced 
notification  software  and  services 
make  it  possible  to  automate  the 
process  across  different  devices  and 
systems,  including  e-mail,  phone, 
mobile  phone,  text  messaging  and 
PDAs.  However,  44  percent  of  sur¬ 
vey  respondents  indicated  that  their 
companies  never  communicate  the 
overall  business  continuity  plan 
to  all  employees.  Approximately 
59  percent  of  respondents  do  not 
articulate  their  organization’s  busi¬ 
ness  continuity  plan  to  key  external 
shareholders. 

Regular  and  ongoing  testing. 

It’s  impossible  to  understand  how 
systems  function— and  how  employ¬ 
ees  use  them— without  ongoing 
testing  and  monitoring.  An  organi¬ 
zation  might  evaluate  systems  every 
quarter  or  every  other  year,  depend¬ 
ing  on  its  requirements.  “The  key 
is  to  remain  vigilant  and  ensure 
that  the  required  level  of  resiliency 
is  in  place,”  Doherty  notes.  Simply 
having  machines  turned  on  and 
ensuring  that  systems  are  operat¬ 
ing  is  not  enough.  An  organization 


For  More  Business 
Continuity  Resources 

Visit  www.cio.com/sungard/research 
to  read  a  complete  research  brief 
on  the  new  IDG/SunGard  Business 
Continuity  study,  and  check  out 
www.cio.com/sungard  for 
additional  strategies  and 
solutions  relevant  to  this 
key  topic. 


“Funding”  and  “people”  are  identified  as  the  most  challenging 
components  of  business  continuity  planning. 


Funding 

People 

Management  sponsorship 
Testing 

Infrastructure/facilities 
Customers 
Change  management 
Enterprise  support 
Systems 
Partners 
Policies 
None  of  the  above 

Source:  IDG  Research  2007 


24% 


Business  Continuity 


5 


Nearly  80%  are  considering  or  evaluating  technology  or 
services  to  enhance  or  replace  their  current  business  continuity/ 
disaster  recovery  solution. 


Storage  replication 
Virtualization 
Redundant  data  center 
Fail-over 
Electronic  replication 
Outsource  to  a  third  part}' 
Electronic  vaulting 
Grid  computing 


Don’t  Know 


Source:  IDG  Research  2007 


44% 


48% 


Other  J  3% 
None 


I  11% 
10% 


must  establish  how  employees  will 
get  to  systems  and  data  during  an 
outage  or  emergency.  They  must 
also  ensure  that  proper  security 
safeguards  exist. 

Adequate  budgeting.  Despite 
the  fact  that  only  6  percent  of  IT 
budgets  are  allocated  to  business 
continuity,  one  quarter  of  the  com¬ 
panies  surveyed  indicated  that  they 
would  increase  their  spending  in 
this  area— by  53  percent  on  average. 
Moreover,  72  percent  of  organiza¬ 
tions  report  that  they  will  keep 
spending  stable.  However,  with  re¬ 
covery  time  objectives  dropping  and 
recovery  point  objectives  becoming 
more  complex,  the  status  quo  may 
not  be  good  enough.  An  IT  infra¬ 
structure  must  be  flexible  enough  to 
handle  changing  conditions  and  re¬ 
quirements.  By  evaluating  total  cost 
of  ownership  (TCO)  and  conducting 
risk  analysis,  it’s  possible  to  develop 
a  focused  strategy  for  managing 
business  continuity. 


Periodic  updates  and  upgrades. 
Business  continuity  is  an  ongoing 
evolution  that  requires  constant 
adaptation.  As  applications,  data 
requirements  and  capacity  change, 
what  was  once  a  seamless  solution 
might  become  a  liability  and  risk. 
Although  it’s  vital  to  test  systems 
for  availability  and  ensure  that 


they  function  effectively,  it  is  also 
essential  to  keep  the  entire  infra¬ 
structure  up  to  date.  Best  practice 
organizations  use  a  task  force  or 
cross-functional  teams  to  oversee 
the  initiative  and  rely  on  consul¬ 
tants  and  third-party  integrators 
to  provide  analysis  and  assistance. 
As  the  business  changes  and  grows, 
the  need  for  redundant  hardware, 


multiplatform  integration,  core  data 
protection  tools  and  application- 
specific  support  for  backup  and 
recovery  grow. 

A  Healthy  Recovery 

Business  continuity  is  a  com¬ 
plex  endeavor  that  continues  to  gar¬ 
ner  attention  from  business  and  IT 


leaders  within  organizations.  Nearly 
80  percent  of  survey  respondents 
indicated  that  they  are  considering 
or  evaluating  technology  or  services 
to  enhance  or  replace  their  current 
business  continuity  solution.  Lead¬ 
ing  approaches  include  storage  rep¬ 
lication,  virtualization,  redundant 
data  center,  fail-over  and  electronic 
replication. 

Finally,  a  growing  number 
of  organizations  are  focusing  on 
compliance  issues  and  fanning 
out  efforts  to  include  non-tradi- 
tional  types  of  business  continuity, 
including  the  threat  of  pandem¬ 
ics.  This  is  helping  them  build 
data  centers  that  support  their 
business  objectives  and  inspire 
confidence  among  customers, 
employees  and  business  partners. 
Says  Gartner’s  Scott:  “Business 
continuity  is  an  ongoing  process 
that  requires  constant  attention 
and  resources.  Organizations 
that  put  the  right  systems  and 
processes  in  place  not  only  gain 
protection,  they’re  able  to  achieve 
a  competitive  advantage.” 


''Business  and  IT  executives  must  be  on  the  same 
page  when  it  comes  to  developing  systems  and 
processes  that  support  business  continuity/' 

—Patrick  Doherty,  Executive  Vice  President 
of  Marketing,  SunGard  Availability  Services 


6 


Business  Continuity 


Case  Study 


Advertising  Supplement 


Information  Availability  Central  to 
Success  of  Access  to  Healthcare  Data 


"Our  whole  business  model  is  predicated  on  information 
availability  and  continuity.  If  doctors  can't  get  the  patient  re¬ 
cord  they  need,  it's  a  huge  lapse  in  service.  From  the  inception 
of  our  business,  we  knew  that  continuous  and  secure  access  to 
patient  records  would  be  one  of  the  make-or-break  factors  in 
our  offering  to  the  healthcare  community,"  says  Joe  Murray, 
VP  of  Technology,  Hx  Technologies. 


Hx  Technologies  understands 
the  importance  of  healthcare 
organizations  having  secure  ac¬ 
cess  to  patient  care  records— when 
and  where  they  need  them.  The 
company  builds  and  operates 
health  information  exchanges  that 
electronically  link  area  hospitals' 
records  and  give  providers  the  abil¬ 
ity  to  access  critical  patient  data 
on-demand,  such  as  X-rays,  CT 
scans  and  MRIs.  Their  success  lies 
in  the  ability  to  provide  immediate 
access  to  a  patient's  records  when 
and  where  medical  personnel  or 
health  plans  need  it.  And  it's  cru¬ 
cial  to  have  that  access  to  patient 
healthcare  data  24/7/365. 

To  provide  the  information 
availability  and  continuity  necessary, 
Hx  Technologies  chose  to  house  its 
back-end  infrastructure  and  systems 
with  third-party  provider  SunGard 
Availability  Services. 

Hx  Technologies'  systems  are 
managed  by  SunGard  Availability 
Services  at  one  of  its  secure  data 


centers  to  safeguard  the  critical 
medical  information  that  is  intended 
for  only  authorized  users  of  Hx 
Technologies'  health  information 
exchange. 

In  this  way,  Hx  Technologies 
helps  ensure  the  availability  of 
critical  care  data,  combined  with 
optimum  security.  In  the  world  of 
healthcare  today,  more  and  more 
medical  information  is  connected, 
and  physicians,  patients,  and  health 
plans  are  increasingly  relying  on 
having  immediate  access  to  data. 

"We  had  comprehensive  criteria 
for  selecting  a  service  provider.  The 


constant  availability  of  information 
was  huge  for  us,  but  security  was 
also  of  key  importance.  SunGard  had 
the  best  security  and  audit  meth¬ 
odology  of  any  provider  we  consid¬ 
ered— from  physical  site  access  and 
data  security  capabilities,  to  options 
for  services  such  as  security  risk 
assessment  and  penetration  testing. 
Due  to  the  sensitivity  of  the  data  we 
deal  with,  we  wanted  a  partner  who 
would  put  security  front  and  center," 
said  Murray. 

"From  our  perspective,  health¬ 
care  data  are  100  times  more  sensi¬ 
tive  and  vital  than  financial  data. 
Credit  card  and  invoice  planning  can 
wait  a  few  hours,  but  for  a  doctor 
who  needs  to  access  a  report  for  an 
inbound  trauma  or  stroke  patient, 
information  just  can't  wait— that 
person's  life  may  depend  on  it.  That's 
been  our  mission  from  the  start,  and 
information  availability  is  central  to 
our  success." 


HxTECHNOLOGIES 

www.hxti.com 

Hx  Technologies  [HxTI],  based  in  Philadelphia,  works  with  health¬ 
care  payers,  providers  and  regional  health  information  organizations 
CRHIOs)  to  provide  real-time,  web-based  access  to  a  patient's  full  set  of 
diagnostic  images  and  reports  typically  scattered  out  of  reach  across 
multiple  healthcare  facilities. 


Business  Continuity 


BE  PREPARED.  FOR  A  FREE  COPY  OF  “SUNGARD’S  PANDEMIC  PREPAREDNESS  CHECKLIST” 
VISIT  WWW.AVAILABILITY.SUNGARD.COM/PANDEMIC  OR  CALL  1-800-468-7483. 


SUNGARD 

Availability  Services 


Keeping  People 
and  Information 
Connected'. 


680  East  Swedesford  Road,  Wayne  PA  19087 
800-468-7483  |  www.availability.sungard.com 


SunGard’s  advanced  recovery  solutions 
help  get  you  back  up  and  running.  Fast. 
We  provide  extensive  options  to  fit  your 
exact  requirements,  from  tape  or  disk 
backup,  to  data  replication,  mirroring, 
hotsites,  mobile  solutions  and  more. 


Meet  your  objectives  with  confidence. 

For  over  28  years,  through  2,100  recovery 
situations,  we’ve  delivered  a  100%  success 
rate.  With  solutions  that  achieve  precise 
recovery  timeframes,  locations  and 
data  points. 


And  you  can  maintain  that  control  as  your 
business  evolves.  With  access  to  some 
of  the  most  extensive  data,  system  and 
network  resources  available  anywhere. 
Reach  higher  levels  of  Information 
Availability,  at  a  fraction  of  the  cost  of 
building  the  infrastructure  yourself. 


The  right  solution  for  today.  Strong 
preparation  for  tomorrow.  Let  SunGard 
show  you  how  to  expect  the  unexpected. 


Quick,  take  a  snapshot.  Suddenly  part  of 
your  IT  infrastructure  is  inaccessible.  What 
happens  to  your  business? 


HOW  TO  EXPECT  THE  UNEXPECTED 


Thank  you  to  the  2007  sponsors: 

Platinum  Sponsors: 

Novell 

Silver  Sponsors: 
chosenSecurity  Identris 

Vfv  Securing  Your  Enterprise 

PRIVARIS 

Produced  by: 

cso 

The  Resource  for  Security  Executives 


Entrust 

Securing  Digital  Identities 
&  Information 


Gold  Sponsors: 


DATE 


SAVE  THE 


Space  is  limited.  Register  today: 
www.csoonline.com/conferences 
for  more  information  cal 


Join  us  for  our  upcoming 

CSO  Executive  Seminar  Series  on 

PCI  &  Privacy 


September  13,  2007 
New  York,  New  York 


■ 


letters 


csoletters@cxo.com 


In  Defense  of  Forensics 

I  AGREE  in  part  with  the 
fact  that  there  are  shortcom¬ 
ings  in  forensic  analysis  [“The 
Rise  of  Antiforensics, ”  June]. 

But  rather  than  saying  “forensic 
analysis  doesn’t  work,”  you 
should  point  out  why  it  doesn’t 
work.  Is  it  because  law  enforce¬ 
ment  is  behind,  still  using  DOS- 
era  and  “Nintendo  forensics”  techniques? 

Is  it  because  there’s  a  lack  of  research  and 
communication  in  the  forensic  community 
(whereas  in  the  organized  crime  arena, 
there  is  a  great  deal  of  both,  largely  due 
to  the  economic  factor  that  supports  and 
drives  it)? 

Stating  in  general  that  forensic  analysis 
doesn’t  work  will  cause  your  audience  to 
move  away  from  such  things  altogether, 
when  they  are  extremely  important.  In 
fact,  there  simply  isn’t  enough  forensic 
analysis  being  done  at  this  point. 

HARLAN  CARVEY 

Author  of  Windows  Forensic  Analysis 

Scott  Berinato  replies:  While  I  hope  the 
article  gets  readers  thinking  seriously 
about  a  serious  issue,  I  wouldn’t  presume 
to  have  so  much  sway  as  to  cause  the  entire 
audience  to  move  away  from  forensic 
analysis.  The  article  takes  no  position  on 
the  goodness  of  forensic  analysis;  it  takes  a 
position  on  the  effectiveness  of  the  practice, 
based  on  deep  research.  Mr.  Carvey  says  I 
should  focus  on  why  it  doesn’t  work  and 
then  asks  a  string  of  hypothetical  ques¬ 
tions.  The  answer  to  all  of  those  questions, 
here  and  in  the  story,  is  “Yes.” 

Ivy  League  Ingenuity 

ONE  O  F  the  best  examples  of  the  prin¬ 
ciples  you  outlined  [in  “How  to  Control 
Crowds  in  Ancient  Pompeii,”  May]  is  the 
Yale  Football  Stadium  in  New  Haven,  Conn. 
Its  restrooms  are  outside  the  stadium,  large 
and  open,  fostering  continuous  move¬ 
ment  out  of  the  building.  A  broad,  paved 
roadway  separates  the  stadium  from  the 


WANTIi 
FOMEMBICS 


NEW,  EASY  TO  USE  ANTIFORENSIC 
TOOLS  MAKE  ALL  DATA 
THREATENING  TO  RENDER 
COMPUTER  INVESTIGATIONS 

AND  LEGALLY  IRRELEVANT 


restrooms.  Inside  is  the  wonder  of  the 
Roman  stadium.  I  often  sit  there  on  a 
Saturday  afternoon,  during  a  really  bad 
game,  and  think  of  how  it  must  have  been 
in  ancient  times. 

Moving  crowds  in  and  out  of  the 
stadium  is  done  by  use  of  tunnels,  which 
are  wide  enough  for  six  men.  When  you 
enter  the  stadium  proper  you’re  greeted 
by  a  broad  walkway  that  runs  completely 
around  the  stadium.  There’s  also  one  at 
the  top  of  the  structure.  Seats,  although 
made  of  wood,  are  built  in  such  a  manner 
that  you  can  spread  out  in  general  admis¬ 
sion.  Reserved  seating  is  the  usual  tight  fit. 

You  or  [G.  Keith]  Still  could  enjoy  this 
structure  built  in  1914.  You’d  swear  you 
were  back  in  Pompeii  again.  The  neigh¬ 
borhood  around  the  Bowl  has  changed 
a  great  deal  but  still  allows  for  quick 
movement  in  and  out  of  the  parking  areas. 
Romans  were  lucky— no  cars. 

I  enjoyed  your  article  very  much. 

CHRISTOPHER  H.  SAWYER 

FMP  Business  Support  EsJ  Training  Mgr. 

United  Technologies  Corp. 

The  PCI  Debate  Continues 

GREAT  ARTICLE  on  PCI  compliance 
[“Standardized  Tests,”  April].  One  issue 
that  never  seems  to  get  mentioned  is  the 
complex  tangle  between  the  auditors  and 
the  remediation.  Visa  requires  firms  to 
pony  up  over  $30,000  in  fees  just  to  do 
PCI  audits.  That’s  an  expensive  hurdle,  but 
it  has  still  led  to  a  glut  of  companies  that 
do  nothing  but  PCI  audit  work.  These  audi¬ 
tors  are  trying  to  get  into  the  remediation 
business,  when  audit  rules  clearly  state  that 


How  to  Reach  Us 


E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine,  492  Old  Connecticut  Path, 

P.0.  Box  9208,  Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

Phone:  866  354-1125  Fax:  847  564-9453 
E-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (100  quantity  or  more),  contact 
Keith  Williams  at  PARS  International  at  212221-9595 
x319  or  e-mail  keith.williams@parsintl.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research,  con¬ 
ferences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options,  IDG 
reaches  more  than  120  million  technology  buyers 
in  85  countries  representing  95  percent  of  world¬ 
wide  IT  spending,  IDG  publishes  more  than  300 
newspapers  and  magazines  in  85  countries,  led  by 
the  Computerworld,  Infoworld,  Macworld,  Network 
World,  PC  World  and  CIO  global  product  lines.  IDG 
offers  online  users  the  largest  network  of  technol¬ 
ogy-specific  sites  around  the  world  through  IDG 
.net  ( www.idg.net ),  a  gateway  to  IDG’s  330  websites 
powered  by  more  than  2,000  journalists  reporting 
from  every  continent  in  the  world.  IDG  also  produces 
168  technology-related  conferences  and  events, 
and  research  company  IDC  provides  global  market 
intelligence,  analysis  and  forecasts  in  43  countries. 


you  cannot  have  the  same  company  audit  a 
business  and  perform  remediation  work. 

One  of  the  growth  areas  surrounding 
PCI  compliance  is  remediation  services. 
We  found  in  our  business  that  there  is 
more  opportunity  for  providing  remedia¬ 
tion  services,  rather  than  the  audit  part. 

As  for  federal  intervention,  that  is 
probably  inevitable.  It’s  too  easy  for  the 
auditors  and  the  audited  to  become  cozy 
with  each  other  under  the  current  design. 
It’s  obvious  that  companies  like  TJ  Maxx 
are  not  implementing  good  security 
controls  if  an  intruder  can  be  inside  the 
network  for  months  accessing  data  at  will. 

ANDREW  PLATO 

President/Principal  Consultant 

Anitian  Enterprise  Security 


We  want  to  hear  from  you 

TO  RESPOND  to  articles  you’ve  read  in 
CSO,  write  to  us  at  csoletters@cxo.com.  We 
welcome  your  thoughts  and  suggestions. 


10  www.csoonline.com  July/August  2007 


We’ve  got  your  back. 

BTs  got  ours. 

You’ve  bought  the  firewalls,  the  security  appliances, 
filters,  servers  and  software.  But  technology  alone 
doesn’t  stop  attacks.  Vigilance  does. 

Counterpane  has  always  helped  enterprises  monitor 
and  manage  their  assets,  detect  attacks  and  respond 
quickly  -  before  the  IT  hits  the  fan. 

Now  we’re  even  stronger,  as  part  of  BT,  the  global 
powerhouse  in  networked  IT  services. 

BT  Counterpane  takes  the  burden  of  vigilance  from 
the  shoulders  of  your  security  staff  so  they  can  focus 
on  your  business.  No  one  sees  more  kinds  of  attack. 

No  one  understands  security  better.  No  one  does 
what  we  do,  the  way  we  do  it.  Who’s  got  your  back? 

Free  Download 

Bruce  Schneier’s 
2007  Attack  Trends 

bt.counterpane.com/buzz 

bt.counterpane.com 


BTiJI  Counterpane 


Discover  what  measurements  can  be  used  to  gauge  value-oriented 
security  investments 


Uncover  approaches  to  building  strong  relationships  with  executive  peers  for 
successful  security  operations 


Explore  best  practices  you  can  utilize  to  minimize  the  impact  of  potential 
security  threats 


Co-Executive  Producers 


Robert  Bragdon, 

Publisher 
CSO  magazine 


John  Gallant, 

President  & 
Editorial  Director 
Network  World 


Secure  your  seat  today! 

Attendance  is  limited  to  qualified  security 
and  business  executives.* 


RSVP  today  at 

www.thesecuritystandard.net/2CSOA07 

or  call  800-643-4668. 


*Attendance  is  limited  to  qualified  senior  business  and  technology 
professionals  involved  in  security  and  risk  management  strategies  and/or 
purchasing  decisions  within  medium  and  large  enterprises. 


Principal  •  1 1 1  •  1 1 1 « 
Sponsors  CISCO 


Lane  Boyd,  Director,  Information  Technology  Audit, 
McDonalds 

Mike  Garber,  Assurance  Management, 

Motorola  Information  Protection  Services 


Crisis  Management:  Planning  for  the  Worst 

Identify  the  contingency  strategies  needed  to  effectively 
implement  crisis  planning  and  manage  the  potential  loss  of 
intellectual  property. 


Daniel  Diermeier,  PhD,  IBM  Distinguished  Prof,  of 
Regulation  &  Competitive  Practice,  Dept,  of  Managerial 
Economic  &  Decision  Sciences  (MEDS), 

Northwestern  University 


9/11:  Six  Years  Later 

Explore  the  collaboration  of  government  and  the  private 
sector  and  the  critical  steps  required  to  improve  the 
protection  of  technology  and  information  assets. 


Catherine  A.  Allen,  Chairman  and  CEO, 

The  Santa  Fe  Group 

Michael  Assante,  Infrastructure  Protection 
Strategist/Business  Manager,  Idaho  National 
Laboratory  (INL),  National  &  Homeland  Security 
Dr.  Stephen  L.  Squires,  Former  Chief  Science  Officer, 
Hewlett-Packard  Company 
John  G.  Voeller,  Senior  Analyst, 

White  House  Office  of  Science  and  Technology  Policy 


Platinum 

Sponsors 


Microsoft • 

3  Symantec,. 


Gold 

Sponsors 


£*enAv»sys  finjan  ^Juniper  n  Event 

^Siotix  N.toorkr  SSKS  NETWORKS  I  P^rtllBrS  I 

l^'l 


0  Qualys- 


The  Security  Division  of  EMC 


Web  sense 


/) 

INFORMATION  SECURITY  FORUM 


An  IDG  Executive  Forum  Produced  in  Cooperation  with 


Transform  the  Business  of  Security  in  Your  Organization 


THE  SECURITY  STANDARD ' 

... 

The  Fairmont  Hotel,  September  10  -  11,  2007,  Chicago,  IL 


Integrate  security  best  practices  into  your  critical 
business  initiatives: 


31 

ISA 


mm 


Learn  how  to  develop  effective  strategies  to  extend  corporate  security  to  a  mobile 
workforce  where  personal  and  professional  uses  converge 


Featured  Sessions: 

Auditors  Speak  Out 

Learn  how  to  build  an  effective  relationship  with  audit  to 
help  secure  the  enterprise  and  to  understand  what  auditors 
are  looking  for  today  and  in  the  future. 


CSO 


InfoWorld  NETWORKWORLD 


C0MPUTERWORLD 


IDG 


The  Resource 
for  Security 


Technology 

Leadership 


REAL  Bad  Idea? 


Privacy  advocates  and  some 
states  are  pledging  to  fight  the 
adoption  of  Real  ID 

REAL  ID  may  be  more 

than  just  a  real  pain:  It  may 
have  serious  privacy  implica¬ 
tions  as  well. 

The  2005  act  was  passed 
in  response  to  the  9/11  Commissions 
recommendation  that  the  government 
better  ensure  the  validity  of  U.S.  IDs.  Real 
ID  would  require  states  to  save  digital 
copies  of  source  documents  such  as 
birth  certificates  for  driver’s  licenses  and 
require  states  to  share  information  in  their 
driver’s  license  databases.  In  theory,  the 
new  ID  cards,  which  would  include  digital 
photographs  and  personal  information 
in  a  machine-readable  chip,  would  better 
verify  the  identity  of  people  carrying  the 
cards.  But  the  legislation  has  raised  the 
eyebrows  of  privacy  advocates.  In  addi¬ 
tion  to  the  prohibitively  expensive  cost  of 
implementation  (estimates  range  between 
$11  billion  and  $23  billion)  and  the  lack  of 
compliance  guidelines  from  the  Depart¬ 
ment  of  Homeland  Security,  detractors 
argue  that  the  creation  of  a  national  data¬ 
base  poses  inherent  security  risks,  such  as 


identity  theft  and  counterfeiting.  In  May, 
43  privacy,  civil  rights  and  consumer  orga¬ 
nizations  launched  a  campaign  to  raise 
awareness  and  stop  Real  ID. 

“There  are  245  million  identification 
cardholders  nationwide.  If  you’re  linking 
50  states  together  and  providing  multiple 
access  points  to  multiple  DMVs,  that’s  a 
huge  security  risk,”  says  Melissa  Ngo,  direc¬ 
tor  of  the  Identification  and  Surveillance 
Project  at  the  Electronic  Privacy  Informa¬ 
tion  Center  (EPIC).  Furthermore,  the 
current  guidelines  do  not  establish  how  the 
data  would  be  secured.  “There  are  back¬ 
ground  check  requirements  for  the  DMV 
workers  who  will  be  accessing  the  data,  but 
the  information  itself  is  unprotected,”  says 
Ngo.  “It’s  fundamentally  flawed.” 

After  the  December  2009  compliance 
deadline,  federal  agencies  will  not  accept 
licenses  or  ID  cards  from  people  unless  the 
issuing  state  is  meeting  Real  ID  require¬ 
ments.  Noncomplying  ID  will  not  be  valid 
for  residents  who  want  to  fly  on  a  plane  or 
open  a  bank  account.  “It’s  not  really  volun¬ 
tary  because  there  are  immediate  punish¬ 
ments  for  not  complying,”  says  Ngo. 

DHS  pushed  back  the  original 
implementation  deadline  by  two  years  in 
response  to  criticism  about  the  cost  and 


lack  of  guidance  from  the  federal  gov¬ 
ernment.  In  the  meantime,  states  have 
to  prove  their  intent  to  comply  with  the 
act.  Maine,  Idaho,  Arkansas,  Washington 
state  and  Montana  have  already  rejected 
participation.  Other  states,  including  Cali¬ 
fornia,  are  planning  and  preparing. 

Bernard  Soriano,  CIO  at  the  Califor¬ 
nia  Department  of  Motor  Vehicles,  says 
his  team  has  already  started  working  on 
integrating  verification  systems  (such  as 
Systematic  Alien  Verification  for  Entitle¬ 
ments  and  Social  Security  Online  Verifica¬ 
tion),  upgrading  equipment  and  adding 
storage  capacity  to  computer  systems  in 
order  to  retain  documents  related  to  Real 
ID.  Although  the  requirement  doesn’t 
come  as  a  surprise  to  Soriano,  he  says  that 
doesn’t  mean  compliance  isn’t  a  daunt¬ 
ing  task.  However,  states  don’t  have  to 
feel  completely  helpless.  A  Gartner  report 
released  in  March  outlines  recommenda¬ 
tions  for  states  to  prepare  for  Real  ID: 

■  Implement  integrated  document  scan¬ 
ning,  authentication  and  storage  systems. 

■  Develop  privacy  protections  to  prevent 
personally  identifiable  information  from 
being  exchanged  between  jurisdictions. 

■  Collaborate  with  other  states  to  develop 
“pointer-type”  systems  to  determine 
whether  an  individual  already  possesses 
an  ID  from  another  jurisdiction. 

-Katherine  Walsh  ( with  Grant  Gross) 


IMAGE  BY  iSTOCKPHOTO 


July/August  2007  www.csooniine.com  13 


r tffe* 


Briefing 


The  Booming  Hacking  Business 


IT’S  A  GOOD  time  to  be  a 

malicious  hacker.  That’s  because 
even  though  it’s  not  a  time  of 
revolutionary  new  techniques 
in  hacking  for  profit,  business  is 
booming  for  the  established  methods. 
Despite  increased  investment  in  infor¬ 
mation  security  defenses,  the  good 
guys  continue  to  lag  badly  behind. 
According  to  one  report  by  Sophos, 
which  called  the  recent  uptick  in 
malware  a  “deluge,”  by  April  2007, 
more  than  250,000  websites  were 
hosting  malicious  code  and  more  than 
8,000  were  being  added  to  that  total 
every  day. 


A  sample  of  the  deluge: 

Hackers  compromised  Google 
AdWords  so  that  links  on  certain  spon¬ 
sored  ads  were  redirected  to  the  attack¬ 
ers’  website  first,  where  an  attempt  was 
made  to  install  a  keylogging  bot. 

Zero-day  exploits  in  Windows  were 
discovered,  including  a  critical  flaw  in 
animated  cursor  files  that  would  allow 
an  attacker  to  commandeer  a  PC. 

Incidents  of  iFrame  malware— code 
that  lives  in  an  invisible-to-the-eye 
frame  on  a  website  and  delivers  bots 
onto  the  PCs  of  people  visiting  the 
site— have  increased. 

■  Credential-stealing  bots  like  Gozi 


Calculating  the  Cost  of  a  Breach 

Forrester  Research  says  the  figure  may  be  higher  than  you  think 


CATEGORY 

DESCRIPTION 

LOW- 
PROFILE 
BREACH  IN 

A  NON- 
REGULATED 
INDUSTRY 

LOW- 
PROFILE 
BREACH  IN  A 
REGULATED 
INDUSTRY 

HIGH- 
PROFILE 
BREACH  IN 

A  HIGHLY 
REGULATED 
INDUSTRY 

Discovery, 
notification 
and  response 

Outside  legal  counsel, 
mail  notification,  calls, 
call  center  and  dis¬ 
counted  product  offers 

$50 

$50 

$50 

Lost  employee 
productivity 

Employees  diverted 
from  other  tasks 

$20 

$25 

$30 

Opportunity  cost 

Customer  churn  and 
difficulty  in  getting 
new  customers 

$20 

$50 

$100 

Regulatory  fines 

FTC,  PCI,  SOX 

$0 

$25 

$60 

Restitution 

Civil  courts  may 
require  you  to  put 
this  money  aside 

$0 

$0 

$30 

Additional  security  and 
audit  requirements 

The  security  and  audit 
requirements  levied  as 
a  result  of  a  breach 

$0 

$5 

$10 

Other  liabilities 

Credit  card  replacement 
costs:  civil  penalties  if 
specific  fraud  can  be 
traced  to  the  breach 

$0 

$0 

$25 

TOTAL  COST  PER  COMPROMISED  RECORD 

$90 

$155 

$305 

WHAT  TO  DO 

la  Perform  a  complete  pen  test  and 
audit  of  your  website,  and  close  up  any 
iFrame  vulnerabilities. 

2a  Prepare  for  an  increasing  number  of 
bot  infections  and  have  a  response  plan 
ready. 

3a  Keep  up  on  the  latest  research  and 
intelligence  on  current  attacks. 


SOURCE:  “CALCULATING  THE  COST  OF  A  SECURITY  BREACH,"  FORRESTER  RESEARCH  APRIL  10,  2007.  BASED  ON  A  SURVEY  OF  28  COMPANIES  THAT 
SUFFERED  DATA  BREACHES. 


and  Torpig  continued  to  troll  for  per¬ 
sonal  banking  information  on  infected 
computers. 

■  A  hacker  won  $10,000  breaking 
into  a  Mac  through  the  Safari  browser, 
which  was  followed  by  Apple 
releasing  a  patch  for  25  vulner¬ 
abilities. 

A  researcher  announced  she  is 
planning  to  demo  ways  to  install 
rootkits  and  perform  encryp¬ 
tion  attacks  on  Microsoft’s  new 
Windows  Vista  product  at  this 
summer’s  Black  Hat  conference. 

■  A  17-year-old  was  charged  with 
hacking  into  AOL,  using  a  phishing 
scheme  against  AOL  employees 
and  using  unauthorized  instant 
messaging  accounts,  with  the 
intent  to  transfer  confidential  data. 

The  only  response  for  many 
information  security  professionals 
is  to  stay  on  top  of  the  latest  devel¬ 
opments  and  prioritize  response 
according  to  need.  But  that’s  getting 
harder  to  do  with  the  sheer  volume 
of  information  on  new  attacks. 

Many  are  also  met  by  apathy 
or  skepticism  when  trying  to  shed 
light  on  the  problems.  “It  is  hard 
to  discuss  solutions  when  no  one 
believes  there  is  a  problem,”  says 
Eric  Hacker,  a  CISSP  who  works 
for  a  technology  company.  “The 
culture  cannot  mix  security  and 
business  for  whatever  reason.” 

-Scott  Berinato 


14  www.csoonline.com  July/August  2007 


Cr 


/nfo. 


^ tio. 


A°VAu 


?*fe*2>*ou* 

>c>* 


WJi 


We 


tor 


l 


ft'  £ 


Ih 


ity  Manager 


IMPROVE  YOUR 
PROFESSIONAL  SKILLS 
(ADVANCE  TO 
CREDIBILITY  AVENUE) 


CISA 

Certified  Information  Systems  Auditor™ 


Exam  Registration  Deadline:  26  September 
Exam  Date:  9  December  2007 

www.  isaca.  org/csomag 


CERTIFIED  INFORMATION 
SECURITY  MANAGER' 


ISA 


Serving  IT  Governance  Professionals 


How  to  Survive  a 
Violent  Situation 


16  www.csoonline.com  July/August  2007 


Thorny  Solutions 


When  violence  erupts,  our  first  instincts  are 
not  always  the  best.  Whether  it’s  an  armed 
individual  who  enters  the  workplace  or  ran¬ 
dom  gunfire  in  an  open  area,  following  these  steps 
can  increase  your  chance  of  survival. 

Seek  cover.  Shut  off  the  lights,  lock  the  doors 
and  hide.  Remember  that  there  is  a  difference 
between  cover  and  concealment.  Concealment  sim¬ 
ply  hides  you.  Cover  is  a  significant  physical  barrier 
between  you  and  a  threat.  Make  sure  that  you  hide 
behind  concrete  or  steel.  Get  behind  robust  office 
furniture  like  a  filing  cabinet  or  a  safe.  Sheet  rock  is 
easily  penetrable,  so  interior  walls  do  not  provide  an 
adequate  defense  against  a  firearm. 

Evacuate.  In  most  cases,  flight  is  your  best 

option.  Of  course,  the  decision  to  take 
flight  depends  on  the  proximity  of 
the  bad  guy  to  you,  your  ability 
to  move  quickly  and  whether  you 
have  a  clear  route  of  escape.  It’s 
a  good  idea  for  employees  to  keep 
comfortable  footwear  at  the  office.  Evacuate  with 
your  hands  up  and  don’t  carry  anything  that  could 
be  confused  as  a  weapon.  Run  while  you  evacuate.  It 
reduces  the  chance  of  a  bullet  connecting  with  you 
as  your  distance  from  the  suspect  increases. 

Call  9-1-1.  Your  safety  comes  first.  Call  9-1-1  as 
soon  as  possible  after  you  are  safe  or  immediately  if 
you  are  not  in  physical  danger. 

Assist  law  enforcement,  stay  calm,  give  as 
much  detail  and  information  as  possible,  and  remain 
on  the  line  until  you  are  told  to  hang  up.  You  can  help 
by  describing  the  suspect  and  his  location. 

Overcome  the  shooter,  in  some  situations, 
it  may  be  necessary  to  try  to  overcome  the  shooter. 
This  should  be  attempted  only  if  you  have  no  other 
option  to  remove  yourself  from  the  situation.  You 
may  have  access  to  lethal,  nonlethal  (but  aggressive) 
or  improvised  weaponry.  A  fogging  fire  extinguisher 
can  be  used  to  temporarily  blind  an  intruder  and  can 
also  be  handled  as  a  blunt  instrument.  “If  you  have 
to  fight,  fight  with  anything  you  can.  This  includes 
hands,  feet,  teeth,  sprays  or  office  equipment," 
suggests  David  Katz,  president  and  CEO  of  Global 
Security  Group.  -Kathleen  S.  Carr 


landscape  security  Reinforced  planters,  light  posts 
and  benches  are  often  used  to  enhance  site  security, 
making  it  impossible  for  a  bomb-laden  automobile  to  get 
close  to  a  building.  But  what  landscape  options  are  avail¬ 
able  for  companies  that  are  concerned  about  individual 
trespassers  accessing  high-security  areas?  Some  trees 
and  shrubs  are,  in  fact,  quite  useful  for  reinforcing  secu¬ 
rity.  Dennis  Carmichael,  landscape  architect  and  principal 
with  EDAW  in  Alexandria,  Va.,  highlights  some  plantings 
that  can  provide  an  attractive  and  effective  deterrent. 


HAWTHORNE  This  dense  hedge  grows  20  to 
25  feet  high  and  produces  fragrant  pink  and 
white  flowers.  But  beware  the  sharp  thorns, 
which  can  range  from  1  to  5  inches  in  length. 


HARDY  ORANGE  A  fruit-bearing  tree  often 
used  around  prisons,  hardy  orange  grows 
15  to  20  feet  high  and  wide  and  is  covered 
to  the  ground  with  lacerating  thorns. 


BLACK  LOCUST  Resistant  to  rot  and 
pollution,  black  locust  produces  creamy 
white  flowers  and  a  pair  of  short  thorns 
at  the  base  of  each  leaf. 


PYRACANTHA  This  thorny  evergreen 
shrub  produces  red,  yellow  or  orange 
berries  in  the  fall. 


BARBERRY  Also  referred  to  as  “sticker 
bushes,”  these  shrubs  are  characterized  by 
their  distinctive  three-spined  thorns. 


ROSES  Some  varieties  of  this  garden 
favorite  will  grow  into  a  dense  thicket  that 
is  impenetrable  to  trespassers. 


.  v  -  -  '  : 

>>  WEED  WHACKING  The  Homeland  Security 

department  recently  announced  a  new  operational  target:  Carrizo 
cane.  It  might  sound  like  the  name  of  a  South  American  warlord,  but 
it’s  actually  a  weed.  Also  known  as  elephant  grass,  Carrizo  cane  is  a 
particularly  tall  and  densely  growing  plant  that  has  taken  over  areas  of 
the  U.S.  border  with  Mexico,  blocking  waterways,  damaging  bridges  and 
potentially  providing  security  threats  or  illegal  aliens  a  cover  through 
which  to  enter  the  United  States. 


Get  The  EDGE  In  Your  IF  Access  Decisi 


Ed's  New  IP  Plan  for  Building  Access  has 
Lydia's  Network  Concerns  Front  and  Center 

We  Give  Them  Both  the  Edge. 


Let's  put  our  doors  on  the 
network  for  the  best 
Access  Optimization. 


Aaaand,  IT  gets 
a  say  in  this,  right??? 


And  well  save  money,  too 


Everything  IT  and  Security  are 
looking  for  in  an  IP  Access  Solution 

Simplicity.  Flexibility.  And  substantial  cost  savings  to 
the  enterprise.  Contact  us  today  to  see  the  many  ways 
EDGE  IP  Access  Solutions  have  changed  everything. 
Your  decision  couldn’t  be  easier. 


Intelligence  @  The  Door 


hidcorp.com 


TRACKING  CRIME  An  organized  gang  of  shoplifters, 
or  “boosters,”  can  clear  as  much  as  $10,000  per  day— per 
person— stealing  razor  blades,  batteries  and  even  infant  for¬ 
mula.  But  now  retailers  are  banding  together  as  well.  In  April, 
the  National  Retail  Federation  (NRF)  and  the  Retail  Industry 
Leaders  Association  (RILA)  pooled  their  data  into  a  single 
national  retail  crime  database. 

Called  the  Law  Enforcement  Retail  Partnership  Network 
(LERPnet),  the  database  also  gives  retailers  a  way  to  share 
details  of  crime  with  the  authorities.  To  date,  LERPnet  has  info  on 
20,000  crimes  gathered  from  a  network  of  50,000  stores.  In  total, 


46  retailers,  including  Sears,  American  Outfitters  and  Federated 
Department  Stores,  are  currently  participating  in  the  program. 

LERPnet  includes  a  wealth  of  information  about  the 
criminals,  such  as  diversion  and  security  evasion  tactics,  wit¬ 
ness  statements,  photography  and  video.  Earlier  this  year,  a 
California  luxury  department  store  built  a  stronger  case  against 
thieves  who  had  stolen  nearly  $400,000  worth  of  merchandise 
by  sharing  information  with  a  lower-end  store  that  had  been  hit 
by  the  same  gang,  notes  Angelica  Rodriguez,  director  of  loss 
prevention  with  the  NRF.  Without  LERPnet,  "the  two  would  have 
never  connected  the  dots  because  they  serve  two  totally  differ¬ 
ent  markets,"  she  says. 

Organized  retail  crime  is  estimated  to  cost  the  industry  as 
much  as  $30  billion  each  year.  The  retail  associations  had  been 
tracking  this  information  in  two  separate  databases,  but  in  late 
2006  the  two  groups  began  merging  their  efforts  at  the  request 
of  the  FBI.  Professor  Richard  Hollinger,  author  of  the  Univer¬ 
sity  of  Florida’s  ongoing  National  Retail  Security  Survey,  says, 
"LERPnet  has  the  potential  for  being  the  single  most  important 
breakthrough  in  loss  prevention  case  investigation,"  he  says. 

LERPriet’s  backers  hope  to  see  more  retailers  share  their 
crime  data.  H igher  participation  means  better  chances  of 
catching  the  bad  guys.  (For  more  on  organized  retail  crime,  see 
www.csoonline.com/read/020107/fea_tatamo.htmt.) 

-Robert  McMillan 


NO  PRIVACY  ZONE  Employees 
and  employers  are  better  protected  when 
personal  technology  is  left  at  home 


ACCEPTABLE  USE  As  it 

turns  out,  privacy  is  not  an  inalienable 
right.  If  you  download  child  pornog¬ 
raphy  on  your  personal  computer  and 
bring  it  to  the  office,  it  could  certainly 
land  you  in  federal  prison. 

Such  a  fate  exists  for  Michael 
Barrows,  former  Glencoe,  Okla.,  city 
treasurer,  in  early  April,  a  U.S.  Court 
of  Appeals  upheld  Barrows’  six-year 
sentence  for  possession  of  child 
pornography,  after  he  argued  that  he 
had  an  expectation  of  privacy  when  he 
took  his  personal  PC  to  work.  The  ille¬ 
gal  files  were  discovered  when  a  city 
clerk,  who  was  having  trouble  opening 
a  file,  asked  for  help  from  a  reserve 
police  officer  who  traced  the  problem 
back  to  a  file-sharing  program  run¬ 
ning  on  Barrows’  computer. 


So  what  rights  does  one  have 
when  using  personal  technology  in 
the  workplace?  Not  many,  according 
to  Nancy  Flynn,  executive  director 
of  the  ePolicy  Institute,  an  elec¬ 
tronic  communications  consultancy. 
According  to  a  recent  American 
Management  Association/ePolicy 
Institute  survey,  84  percent  of 
employers  had  policies  governing 
workers’  personal  e-mail  use, 

76  percent  monitored  workers’  website 
connections,  and  65  percent  blocked 
certain  connections  completely.  Half 
of  all  employers  said  they  have  fired 
workers  for  misusing  the  Internet 
or  e-mail  at  work.  The  number-one 
reason  employers  monitor  e-mail  and 
Internet  use  is  fear  of  litigation,  says 
Flynn,  and  that  fear  is  well  founded: 


24  percent  of  small,  midsize  and  large 
U.S.  companies  had  e-mails  subpoe¬ 
naed  by  the  court  in  2006.  E-mail  has 
become  the  “electronic  equivalent  of 
DNA,”  she  says. 


The  best  way  employers  can 
ensure  the  proper  use  of  their  com¬ 
puter  assets  is  to  set  rules  governing 
them.  In  Flynn’s  opinion,  an  ideal 
policy  would  ban  the  use  of  personal 
technology  at  the  office  completely. 
However,  if  employers  decide  to  allow 
personal  use,  the  policy  should  spell 
out  e-mail  rules  regarding  content, 
language  and  confidentiality.  “You 
may  want  to  restrict  personal  use  to 
certain  hours  of  the  day:  lunch  hours 
and  work  breaks,  for  example,  and 
restrict  who  they  can  communicate 
with:  maybe  kids,  spouses  and  baby¬ 
sitters.”  Employers  should  also  offer 
formal  training  when  it  comes  to  e-mail 
rules  and  risks,  says  Flynn.  That  way, 
employees  won’t  feel  like  Big  Brother 
is  looking  over  their  shoulder.  “When 
employers  explain  rules,  why  they  are 
in  place,  how  they  monitor  and  why,  it 
goes  a  long  way  toward  encouraging 
compliance,”  says  Flynn. 

-Katherine  Walsh 


18  www.csoonline.com  July/August  2007 


PHOTO  BY  iSTOCKPHOTO;  ILLUSTRATION  BY  STEVE  TRAYNOR 


© 


There's  an  easier  way  to  secure  your  messaging. 

(Without  resorting  to  dubious  methods.) 

There  isn't  much  IT  managers  won't  try  when  it  comes  to  protecting  email  and  file  transfers. 
But  drastic  measures  (even  the  creative  ones)  run  the  risk  of  wasting  resources  and  hindering 
productivity.  Tumbleweed  delivers  serious  protection  against  spam,  viruses  and  data  leaks, 
plus  ironclad  encryption.  With  a  product  suite  that's  quick  to  deploy,  easy  to  manage  and 
intuitive  to  use,  your  messages  are  guaranteed  a  safe  flight. 

Tumbleweed 

www.tumbleweed.com/easierway  Messaging.  Secure  and  Simple. 


©  2007  Tumbleweed  Communications  Corp.  All  rights  reserved.  Tumbleweed  and  the  Arrows  logo  are  registered 
trademarks  of  Tumbleweed  Communications  Corp.  in  the  United  States  and/or  other  countries. 


Blame  the 
United  States 

When  Europeans  don’t  like  a  security  measure, 
they  think  they  know  where  to  point  their  finger 

By  Paul  Raines 

THERE’S  a  JOKE  making  the  rounds  in  Europe  these  days.  It 
goes  like  this:  There  once  was  a  man  on  a  train  who  was  ripping 
pages  from  a  book  and  tossing  them  out  the  window. 

The  conductor  walks  by  and  cries  out,  “Hey,  what  do  you  think 
you’re  doing?” 

“I’m  trying  to  keep  the  elephants  away.” 

“Elephants?”  the  conductor  exclaims.  “I  don’t  see  any  elephants!” 

“See!”  the  man  replies.  “It’s  working!” 

On  one  level  this  is  a  simple  pleasantry  designed  to  provoke  a  smile.  On 
another  it  is  a  metaphor  for  the  way  Europeans  are  increasingly  viewing  secu¬ 
rity  measures  designed  to  thwart  terrorism.  In  this  regard,  American  and 
European  opinions  are  increasingly  at  odds. 

Americans  tend  to  view  increased  security  mea¬ 
sures  as  a  necessary  evil— especially  after  9/11. 

To  be  sure,  there  are  concerns  amongst  some 
Americans  about  the  invasion  of  privacy  and 
civil  liberties,  but  it  has  not  risen  to  a  level 
of  mass  discontent.  In  Europe,  however, 
it  is  approaching  that  point. 

My  evidence  is  a  combination  of 
the  anecdotal  and  the  factual.  Anec¬ 
dotally,  I  have  lunch  and  tea  every 
day  with  my  European  colleagues. 

They  all  have  a  horror  story  to  tell 
about  too-strict  airport  security. 

The  complaints  range  from  miss¬ 
ing  a  flight  because  they  were 
standing  in  a  security  line,  to  having  their  personal  privacy  and/or  dignity  vio¬ 
lated  because  of  a  run-in  with  a  Customs  or  security  official.  They  tend  to  blame 
Americans  for  the  imposition  caused  by  increased  security. 

On  the  factual  side,  a  recent  survey  of  frequent  international  travelers  for  the 
tourism  promotion  group  Discover  America  found  a  17  percent  drop  in  tourism 
to  the  United  States  since  2001.  A  full  39  percent  of  the  survey’s  respondents 
cited  the  United  States  as  the  “worst”  for  immigration  and  entry  procedures. 
Half  of  the  respondents  said  immigration  and  Customs  officials  were  rude  and 
that  they  actually  feared  them  more  than  the  threat  of  terrorism. 

There  are  other  minor  irritants  as  well.  In  the  city  where  I  live,  the  U.S. 
Embassy  has  turned  into  an  armed  fortress  that  is  an  eyesore  to  an  otherwise 
picturesque  historic  district.  The  concrete  barricades,  fencing  and  barbed  wire 


cover  an  entire  city  block  and  prevent  tourists  from 
visiting  a  historic  monument,  which  is  now  enclosed 
within  the  embassy’s  new  security  perimeter. 

These  measures,  combined  with  the  general 
unpopularity  of  American  foreign  policy  in  Europe, 
have  created  an  atmosphere  in  which  any  new  security 
measure  is  reflexively  blamed  on  Americans.  Recently, 
my  organization  set  up  metal  detectors  at  a  confer¬ 
ence  of  foreign  delegates.  The  reaction  from  the  staff 
was  not  that  this  increased  safety,  but  rather  that  the 
American  delegation  must  have  required  it.  (This 
wasn’t  true,  by  the  way.) 

The  grumblings  alluded  to  in  the  joke  about  the 
man  on  the  train  is  that  the  extra  security  measures 
put  in  place  in  Europe  after  the  9/11  attack  don’t  do 
much  to  deter  terrorism  and  are  there  only  because 
the  Americans  insist  on  them.  After  all,  the  skep¬ 
tics  say,  Europe  suffered  from  terrorism  long  before 
9/11  occurred.  What  about  the  terrorist  attacks  from 
the  Irish  Republican  Army,  Basque  Fatherland  and 
Liberty,  the  Red  Brigades,  the  Palestine  Liberation 
Organization  and  the  Baider  Meinhof  Gang?  These 
terrorist  groups  had  been  active  in  the  1970s,  ’80s  and 
’90s,  and  Europe  had  not  put  extra  security  measures 
in  place.  What  makes  the  present  brand  of  terror¬ 
ism  any  different?  Euro¬ 
peans  are  increasingly 
drawing  the  conclusion 
that  difference  is  that 
the  9/11  attack  affected 
the  United  States— and 
that  therefore  the  United 
States,  and  not  their  own 
national  governments, 
must  be  to  blame. 

I’m  not  sure  where  this 
increased  European  skep¬ 
ticism  of  security  will  lead. 
Whereas  Americans  tend 
to  view  security  like  a  socket 
wrench  that,  once  ratchetted  up,  will  never  slip  back, 
Europeans  see  it  as  a  hammer  that,  once  used,  must 
now  be  returned  to  the  tool  chest.  This  attitude  means 
that  it  is  becoming  much  more  difficult  for  European 
security  executives  to  maintain  organizational  staff 
support  for  security  measures.  They  are  being  told,  in 
no  uncertain  terms,  that  it’s  time  to  put  the  hammer 
down.  ■ 

Paul  Raines  is  CISO  of  a  nonprofit  international  group  in  The  Hague, 
Netherlands.  Send  feedback  to  Senior  Editor  Sarah  D.  Scalet  at 
sscalet@cxo.com. 


20  www.csoonline.com  July/August  2007 


ILLUSTRATION  BY  DENNIS  NISHI 


Smart  enough  to 


it  coming 


ProCurve  ProActive  Defense  allows  you  to  detect, 
identify  and  minimize  threats  before  they 
compromise  your  network. 

A  smart  security  solution  proactively  defends  your  network  from 
attacks.  By  remaining  alert  and  aware,  ProCurve  networks  provide 
comprehensive  protection  against  known  threats  without 
compromising  productivity. 


See  it  coming  yourself  with  ProCurve  ProActive 
Defense  at  www.procurve.com/security 


ProCurve 

Networking  by  HP 


The  leading  lifetime  warranty  in  the  industry 


.  .  Tv-i 


For  as  long  as  you  own  the  product,  with  next  business-day  advance  replacement  (available  in  most  countries).  For  details,  refer  to  the  ProCurve  Software  License, 
Warranty  and  Support  booklet  at  http://www.hp.com/rnd/support/warranty/mdex.htm.  The  ProCurve  Routing  Switch  9300m,  ProCurve  Routing  Switch  9408sl,  ProCurve^ 
Switch  8100fl  and  the  ProCurve  Secure  Access  745wl  have  a  one-year  warranty  with  extensions  available.  ©  2007  Flewlett  Packard  Development  Company,  L.P 


1 1 


Watching  the  Wires 

Harvard's  network  surveillance  center  puts  Q1  Labs’ 
QRadar  tool  to  the  test  By  Simson  Garfinkel 

I  RECENTLY  HAD  A  chance  to  visit  Harvard  University’s  network 
surveillance  center.  One  doesn’t  normally  see  the  words  university 
and  network  surveillance  in  the  same  sentence,  because  surveillance 
of  any  kind  is  usually  seen  as  being  at  odds  with  the  tradition  of  aca¬ 
demic  freedom  present  at  most  universities.  Unfortunately,  higher 
education  has  long  been  associated  with  Internet-related  computer  crime— 
both  as  victims  and  as  the  home  institution  of  many  perpetrators.  As  a  result, 
many  universities  have  had  to  make  significant  investment  in  various  kinds 
of  network  monitoring. 

What  makes  Harvard’s  network  surveillance  notable  is  not  the  fact  that 
Crimson  engages  in  network  surveillance  but  the 
scale  and  technical  sophistication  of  those  moni¬ 
toring  operations.  Harvard  has  6-gigabit  con¬ 
nections  to  both  Tier  1  Internet  providers  and 
Internet2.  Between  10  and  20  terabytes  of 
data  moves  across  Harvard’s  border  every 
day.  What’s  more,  traffic  frequently  under¬ 
goes  asymmetric  routing,  which  means  that 
packets  travel  across  different  border  rout¬ 
ers  depending  on  whether  they  are  leaving 
Harvard  or  returning— one  of  the  unfortu¬ 
nate  consequences  of  something  known  as 
“hot  potato  routing.” 

Yet  despite  this  complexity,  Harvard 
manages  to  categorize  and  record  informa¬ 
tion  about  practically  every  packet  crossing 
its  borders. 

To  find  out  how  Harvard  works  this 
magic,  I  met  with  Jay  Tumas,  Harvard’s 
network  operations  manager.  It  wasn’t  a  long  waiK: 

Jay’s  office  at  University  Information  Systems  is  just  a  block  down  the  street 
from  my  office  at  the  School  of  Engineering  and  Applied  Science. 

No  Packet  Left  Behind 

Harvard’s  connections  to  the  Internet  and  Internet2  take  place  in  three  physi¬ 
cal  locations:  two  in  Boston  and  one  in  Cambridge.  But  rather  than  deploy 
intrusion  and  anomaly-detection  systems  at  the  border,  Tumas  has  built  a  ded¬ 
icated  monitoring  system  that  takes  all  critical  traffic,  makes  a  copy  of  every 
packet  and  sends  those  copies  to  the  network  surveillance  center  on  10-gigabit 
optical  fibers.  There  the  flows  are  reassembled  using  Cisco  switches  and  sorted 
according  to  protocol  family  using  a  cluster  of  Top  Layer  4508  IDS  Balancers. 

This  architecture  both  lets  Harvard  split  the  load  among  multiple  systems— 
it’s  too  much  data  for  one  IDS— and  lets  each  IDS  be  configured  with  only  the 


signatures  that  it  actually  needs,  which  makes  each 
IDS  run  faster  than  it  would  if  it  were  responsible  for 
the  full  protocol  suite. 

“Last  year  we  had  over  10  million  IDS  hits,”  says 
Tumas.  But  instead  of  sending  out  an  alert  for  each 
hit  or  just  tabulating  them  in  some  log  file  that  nobody 
ever  really  reads,  Harvard  has  built  a  reactive  system 
that  rates  the  severity  of  each  IDS  hit,  judges  the 
chance  of  a  false  positive  and  then  automatically  alerts 
the  responsible  security  manager. 

The  Harvard  Network  Operations  Center  has  a 
database  with  between  1,500  and  2,000  registered 
system  and  network  managers.  When  the  IDS  detects 
a  “hit,”  the  system  tries  to  correlate  the  hit  with  other 
hits.  If  enough  tests  pass,  the  system  auto  alerts  and 
sends  a  missive  to  the  responsible  manager.  Last  year 
roughly  10,000  such  messages  went  out.  “We  want 
people  to  treat  the  auto  alerts  as  gospel,”  says  Net¬ 
work  Security  Manager  David  LaPorte,  who  works  for 
Tumas. 

Real-time  alerts  are  an 
important  part  of  network  sur¬ 
veillance,  but  without  the  ability 
to  look  back  in  time,  alerts  are 
of  limited  use.  It’s  important 
to  find  systems  that  have  been 
compromised.  But  once  you’ve 
found  these  systems,  it’s  equally 
important  to  evaluate  the  dam¬ 
age  that’s  been  done. 

For  example,  says  Tumas, 
Harvard’s  IDS  system  recently 
discovered  a  Microsoft  Active 
Directory  domain  controller  that 
had  been  hacked.  Not  surprising,  none 
of  the  system’s  logs  had  been  turned  on. 

To  find  out  what  had  happened  to  the  sys¬ 
tem,  Tumas  and  his  team  turned  to  QRadar, 
a  security  monitoring  system  sold  by  Ql  Labs. 
QRadar  monitors  multiple  sources  of  information, 
including  packet  traces,  network  flows  and  security 
events;  builds  a  model  of  the  network;  uses  the  real¬ 
time  information  to  update  the  model;  and  archives 
information  as  necessary  to  permit  event  reconstruc¬ 
tion  at  some  future  time. 

Just  as  every  packet  in  and  out  of  Harvard  gets 
evaluated  by  the  IDS  systems,  every  packet  also  gets 
processed  by  QRadar.  The  system  analyzes  the  pack¬ 
ets,  reconstructs  the  UDP  and  TCP  streams,  decodes 
the  protocols,  determines  whether  protocols  are  run¬ 
ning  on  the  correct  port  and  updates  a  database  of 
what  it’s  learned  in  real-time.  The  system  can  also  be 


22  www.csoonline.com  July/August  2007 


ILLUSTRATION  BY  JOHN  WEBER 


6th  Annual 


IDENTITY  IS  CENTER 

September  24  -  26,  2007 
Hilton  San  Francisco 
San  Francisco,  CA 


Interact  with  peers  in  over  40  hours  of  in-depth  discussion  providing  you  with  perspective  and 
analysis  of  how  digital  identity  is  being  leveraged  to  help  integrate,  manage  and  secure  the  network. 
Sort  the  trends  and  discover  the  truth  about  what  works  and  what  doesn’t. 

Topics  to  include: 


Deploying  identity-based  network 
access  control 

Using  identity  to  achieve  compliance 

Authentication  as  risk  management 

How  identity  fits  into  SOA 

Understanding  OpenID  and  CardSpace 

Achieving  “anywhere  access”  with  E-SSO 

Understanding  successful  federated 
identity  deployments 


Role  Management  as  the  lynchpin  of 
scaling  identity 

Integrating  machine  identity  into  an 
identity  architecture 

Addressing  challenges  in  identity  and 
the  telco  space 

Overcoming  hurdles  specific  to  identity  and 
financial  services 

Using  identity  to  address  healthcare 
specific  concerns 


Register  now  for  the  6th  annual  Digital  ID  World  Conference  and  take  advantage  of  the  early  registration 
discount — reference  Priority  Code  AD  and  attend  the  conference  for  $995.  This  offer  expires  August  31 . 

Digital  ID  World.  Real  World  Deployments.  Real  World  Perspective. 

Visit  www.digitalidworld.com 
or  call  800-366-0246  to  register. 


cso 


The  Resource  for 
Security  Executives 


Produced  in  conjunction  with: 


programmed  to  record  part  or  all  of  every 
packet  that  it  sees,  although  doing  so  obvi¬ 
ously  requires  a  significant  amount  of  stor¬ 
age  for  a  network  the  size  of  Harvard’s. 

“We  data-mined  every  single  connec¬ 
tion  that  this  system  created  across  the 
border,  then  went  through  and  picked  out 
the  things  that  were  not  typical  command- 
and-control  bot  traffic— anything  that  we 
couldn’t  identify,”  Tumas  says. 

It  turned  out  that  the  compromised 
system  had  participated  in  a  350-mega¬ 
byte  file  transfer  with  a  computer  system 
at  another  university.  This  was  a  matter 
of  great  concern.  So  Harvard  contacted 
the  other  university  and  had  it  look  at  the 
other  compromised  system.  The  adminis¬ 
trators  at  the  other  school  found  the  files- 
350  megabytes  of  French  music.  “They 
weren’t  in  long  enough  to  discover  the 
value  of  what  they  had,”  Tumas  surmises. 

In  another  case,  a  network  administra¬ 
tor  at  Harvard  Medical  School  called  up 
to  complain  that  its  network  was  under 
attack.  The  operators  in  the  Network 
Operations  Center  logged  in  to  the  QRa- 
dar  system  and  immediately  saw  that  the 
medical  school  was  experiencing  a  “smurf” 
denial-of-service  attack.  The  team  then 
put  a  few  additional  rules  on  the  Harvard 
border  routers  and  the  attack  ended. 

“I’ve  never  come  across  a  tool  that  has 
been  able  to  give  the  pivot  views  of  data 
as  quickly  as  QRadar,”  says  Tumas.  The 
system  lets  Tumas  quickly  see  the  total 
levels  of  traffic  and  then  break  them  down 
according  to  different  categories,  such  as 
network  protocol,  administrative  controls, 
geographical  location,  time  or  security 
severity. 

The  QKadar  system  runs  on  a  dedicated 
dual-processor  server  running  Linux.  The 
packets  and  databases  are  stored  on  a  6- 
terabyte  storage  area  network  connected 
with  fibre  channel.  When  I  spoke  with 
Tumas  the  system  was  recording  the  first 
64  bytes  of  every  packet,  which  translated 
to  roughly  30  days’  worth  of  data.  It  turns 
out,  though,  that  storing  the  first  64  bytes 
of  each  packet  isn’t  tremendously  useful— 
you  can’t  reassemble  images  or  webpages, 
for  example.  The  plans  are  to  reconfigure 


the  system  so  that  it  just  keeps  metadata 
about  each  network  connection  but  dis¬ 
cards  each  packet.  With  this  change,  the 
system  should  be  able  to  keep  six  months’ 
worth  of  forensic  information. 

Like  many  modern  security  appliances, 
QRadar  is  accessed  over  the  Internet 
using  a  Java  applet  that  runs  inside  a  Web 


The  system  can 
be  programmed 
to  record  part 
or  all  of  every 
packet  that  it  sees, 
although  doing  so 
obviously  requires 
a  significant 
amount  of  storage. 

browser.  The  system  at  Harvard  has  been 
set  up  so  that  individual  network  manag¬ 
ers  can  view  the  data  associated  with  their 
own  networks.  This  allows  managers  to 
solve  their  own  problems  without  both¬ 
ering  the  team  at  the  network  operations 
center.  It  also  means  that  QKadar  can 
be  used  for  network  debugging  and  even 
performance  turning,  rather  than  using  it 
solely  for  security  management. 

Needs  Improvement 

For  all  of  this  power,  there  are  at  least  two 
problems  with  the  QRadar  system  that 
were  evident  to  me  during  my  tour— one 
that’s  currently  a  limitation  with  the  sys¬ 
tem,  and  one  that  isn’t. 

The  annoying  limitation  with  QRadar 
is  that  the  system  really  doesn’t  under¬ 
stand  how  packets  are  routed  on  the 
Internet— it  doesn’t  understand  about 
Internet  autonomous  systems,  peering 
relationships  and  the  Border  Gateway 
Protocol  (BGP).  When  QRadar  sees  traffic 
leaving  Harvard  it  knows  the  destination 
network,  but  it  doesn’t  necessarily  know 
the  destination  organization.  If  QRadar 


understood  BGP,  it  could  actually  build  a 
map  of  various  networks  that  the  leaving 
packet  was  due  to  traverse.  The  Harvard 
network  operations  group  would  like  to 
see  this  deficiency  addressed— and  the 
sooner,  the  better. 

But  a  deeper  problem  is  that  QRadar 
does  make  it  possible  to  engage  in  a  kind 
of  surveillance  that  really  isn’t  appropriate 
at  a  university.  Out  of  the  box,  the  system 
exhibits  all  kinds  of  intrusive  and  inap¬ 
propriate  behavior— at  least,  inappropri¬ 
ate  at  Harvard.  For  example,  the  system 
can  build  a  profile  with  the  IP  addresses 
of  computers  at  Harvard  that  are  going 
to  porn  sites,  Internet  gambling  sites,  job 
boards  and  so  on.  This  data  could  trivially 
be  cross-tabulated  against  authentica¬ 
tion  logs  or  Ethernet  media  access  con¬ 
trol  (MAC)  addresses  to  produce  detailed 
reports  of  each  user  at  the  university.  At 
the  same  time,  the  system  is  not  keeping 
detailed  logs  about  its  users.  It  knows 
when  they  log  in  and  log  out,  but  it  doesn’t 
keep  audits  of  who  is  searching  for  what 
kind  of  data. 

Although  it’s  tremendously  important 
that  organizations  have  the  ability  to 
reconstruct  what’s  happened  in  the  past, 
it’s  also  important  to  be  able  to  detect 
when  this  ability  is  abused.  One  way  to 
do  that  is  by  having  surveillance  systems 
automatically  generating  logs  and  reports 
of  their  own  use.  We  use  this  sort  of 
approach  in  our  government,  where  sur¬ 
veillance  requests  are  reviewed  in  detail 
both  before  and  after  the  surveillance 
takes  place.  The  Administrative  Office  of 
the  U.S.  Courts  publishes  an  annual  wire¬ 
tap  report  that  details  summary  informa¬ 
tion  for  every  court-ordered  wiretap  in  the 
United  States.  Organizations  that  have 
surveillance  equipment  should  institute 
similar  procedures,  and  surveillance  tools 
such  as  QRadar  should  generate  immu¬ 
table  logs  that  record  not  just  who  logged 
in  and  who  logged  out  but  also  what  they 
did.  ■ 


Simson  Garfinkel,  CISSP,  is  researching  computer 
forensics  and  human  cognition  at  Harvard  University. 
Send  feedback  to  machineshop@cxo.com. 


24  www.csoonline.com  July/August  2007 


Solutions  Start  Here 


As  security  issues  continue  to  compound  domesticali 
and  globally,  it's  reassuring  to  know  that  solutions  always 
originate  in  one  location— at  ASIS  2007  in  Las  Vegas. 

For  more  than  50  years  ASIS  has  been  the  security 
industry's  must-attend  event,  a  gathering  with  enough 
influence  to  bring  together  one  of  the  most  powerful 
audiences  of  decision-makers  in  the  country  (according 
to  Exhibitor  Magazine )  with  immediate-impact  solutions. 


The  fact  is,  ASIS  doesn’t  just  represent  the  security 
industry,  it  helps  define  it.  With  more  than  23,000 
professionals  gathering  from  around  the  world  for 
three-and-a-half  days,  it's  a  good  bet  that  security’s 
future  will  be  plotted  and  planned  at  this  epicenter  of 
solutions.  From  wall-to-wall  innovations  to  an  advanced 
education  second  to  none,  ASIS  delivers  on  its 
reputation  as  security's  leading  event  year  after  year. 


Looking  for  innovative  technologies?  The  ASIS  exhibit 
hall  encompasses  more  than  635,000  square  feet  of 
the  latest  solutions,  and  product  and  service  experts 
primed  to  discuss  your  needs  face-to-face  and 
one-on-one.  Searching  for  security's  next  breakthrough 
product?  More  than  200  new  market  introductions 
will  be  made  at  this  year's  event. 


Take  a  giant  step  towards  securing  your  future  and 
plan  now  to  join  a  worldwide  audience  of  your  industry's 
best  and  brightest  this  September  at  ASIS  2007. 

To  register  visit  www.asisonline.org/asis2007  or  call 
703-519-6200. 


Two  years  running,  named 
one  of  the  50  fastest  growing 
tradeshows  in  North  America. 


CHRISTOPHER 

GARDNER 


53RD  ANNUAL  SEMINAR  AND  EXHIBITS 


ASIS  INTERNATIONAL  2007 


SEPTEMBER  24-27,  2007  •  LAS  VEGAS,  NV 


w  ww.  a  si  son  tine.  orq/asis2007 


; 


July/August  2007  www.csoonlme.com  2/ 


a* 


I 


The  vast 
traffic  is  u 


3ss  or  worse,  from 
-of-service  attacks 


to  bot- 
wants  to  i 
a  tidv 


up — and  earn 
meantime. 


in 


ILLUSTRATIONS  BY  JOHN  MacDONALD 


IN  THIS  STORY  A  dive  into  AT&T's  security 
strategy  ■  Arguments  for  and  against  “in-the- 
cloud”  security  *  The  evolution  of  MSSPs 


FROM  AT&T’S  GLOBAL  NETWORK 
Operations  Center  40  miles  west  of  New  York 
City,  CISO  Ed  Amoroso  has  as  wide  a  window  into 
the  Internet  as  anyone.  With  a  glance  at  a  two- 
story  wall  covered  with  computer  monitors  and  television 
screens,  Amoroso  can  tell  at  any  given  moment  how  much 
e-mail,  Web  and  voice-over-IP  traffic  is  streaming  across 
AT&T’s  data  networks,  buzzing  its  way  from  business  to 
business,  person  to  person.  The  amount  of  Internet  traffic 
represented  in  the  room  is  staggering.  On  the  aver¬ 
age  business  day,  almost  10  petabytes  of  data  pass 
through  AT&T’s  networks— more  information  than 
the  entire  Web  contained  in  2000. 


Too  bad  that  almost  all  of  it  is  garbage. 

More  than  80  percent  of  the  e-mail 
coming  in  to  AT&T  is  spam.  About  1  mil¬ 
lion  of  the  home  computers  AT&T  sees 
each  day  are  thought  to  be  infected  with 
bots,  reaching  out  to  hundreds  of  other  IP 
addresses  far  more  quickly  than  any  Inter¬ 
net  surfer  with  DSL  or  a  cable  modem  ever 
would.  Before  a  worm  strikes,  technicians 
see  strange  spikes  of  traffic  going  to  nor¬ 
mally  obscure  ports,  as  malware  develop¬ 
ers  test  and  tweak  their  code.  A  sudden, 
sharp  increase  in  the  amount  of  Web  traffic 
worldwide  could  mean  breaking  news— or  a 
distributed  denial-of-service  (DDoS)  attack 
being  lobbed  at  a  single  company  hallway 
around  the  world. 

But  Amoroso’s  window  into  a  rapidly 
junkifying  Internet  is  largely  just  that:  a 
window.  For  the  most  part,  he  says,  all  he 
can  do  is  sit  and  watch  through  the  glass,  as 
unwanted  or  malicious  traffic  makes  its  way 
from  point  A  to  point  B. 

“The  standard  service-level  agreement 
is  that  we  just  push  the  traffic  in  and  out,” 
he  says.  “We  don’t  touch  it.  We  can  do 
some  upstream  and  downstream  filter¬ 
ing  if  we  see  something  that  will  affect  our 
infrastructure,  but  you  getting  a  spam,  or 
you  having  some  weird  protocol  aiming  at 
you— I  would  love  to  filter  that,  but  it’s  not 
that  simple.” 

That’s  because  a  telecommunications 
company’s  job  has  always  been  to  pass  traffic, 


not  pass  judgment.  “The  starting  point 
[for  Internet  carriers]  is  no  responsibil¬ 
ity  whatsoever,”  says  Jonathan  Zittrain, 
professor  of  Internet  Governance  and 
Regulation  at  Oxford  University.  “Echo¬ 
ing  the  original  spirit  of  Internet  proto¬ 
col  design,  the  job  of  a  router  is  simply 
to  move  a  packet  one  hop  closer  to  its 
destination.” 

This  is  the  reason  for  the  intense 
debate  over  whether  to  forgo  so-called 
net  neutrality,  in  which  Internet  carriers 
treat  all  packets  the  same.  Even  as  carri¬ 
ers  argue  that  they  should  be  allowed  to 
prioritize  high-revenue  content,  however, 
AT&T  has  been  quietly  getting  permis¬ 
sion  from  its  customers  to  stop  certain 
kinds  of  traffic  altogether.  Already,  some 
businesses  have  signed  up  to  have  AT&T 
filter  out  spam,  viruses,  DoS  attacks  and 
other  malicious  activity  behind  the  scenes, 
before  the  traffic  touches  their  enterprises. 
AT&T  is  now  working  on  the  “productiza¬ 
tion”  of  similar  services  for  its  home  cus¬ 
tomers.  In  Amoroso’s  vision  of  the  future, 
telecom  companies  will  routinely  deliver 
not  the  diseased  melange  of  today’s  pure 
Internet,  but  a  “clean  pipe”  of  good  (or  at 
least  decent)  traffic.  Less  junk,  fewer  risks. 
Here’s  your  bill. 

It’s  a  necessary  gambit  for  an  ocean-ship 
of  a  company  ($63  billion)  in  an  industry 
that  faces  new  competition  and  downward 
pricing  pressure,  the  result  of  the  excess 


ciso  Ed  Amoroso  says  AT&T’s  networkwide 
view  provides  “a  gold  mine  of  security 
information.” 


telecommunications  capacity  laid  during 
the  late  1990s  and  early  2000s.  “The  car¬ 
riers  are  looking  for  ways  to  differentiate 
themselves  so  they’re  not  just  competing 
on  who’s  got  the  cheapest  bits  per  second, 
and  they’re  also  looking  for  ways  to  stop  the 
decline  in  dollars  per  bits  per  second,”  says 
John  Pescatore,  a  vice  president  at  the  IT 
research  firm  Gartner. 

According  to  Pescatore  and  other  observ¬ 
ers,  AT&T  is  farthest  along  in  the  journey  of 
telecom  companies  to  position  themselves 
as  security  providers— although  competitor 


28  www.csoonline.com  July/August  2007 


Verizon  took  a  huge  leap  forward  in  May, 
when  it  announced  that  it  was  acquiring 
Cybertrust,  one  of  the  country’s  biggest 
names  in  information  security,  for  an  undis¬ 
closed  amount.  Verizon  said  the  acquisition 
would  add  800  employees  to  its  300-person 
information  security  team,  along  with 
expertise  in  computer  forensics  and  identity 
management  and  a  solid  presence  in  Asia. 

The  growing  security  ambitions  of  tele¬ 
com  companies  could  have  a  profound 
impact  on  how  “security”  is  packaged  and 
sold— by  standalone  security  companies 
or  by  network  or  IT  providers;  to  CSOs 
as  standalone  services  or  to  CIOs  within  a 
bundle  of  other  services;  as  products  or  in 
a  software-as-a-service  model.  What’s  more, 


the  outcome  of  what  AT&T  is  attempting 
could  influence  the  very  future  of  the  Inter¬ 
net  as  a  free  and  unfettered,  if  increasingly 
dangerous,  communications  platform.  The 
question  is  whether  the  strategy  will  pay 
off— whether  AT&T’s  vast  customer  base 
really  wants  to  pay  extra  for  an  Internet  as 
safe,  banal  and  micromanaged  as  a  shop¬ 
ping  mall. 

Bruce  Schneier,  whose  own  security 
company  was  purchased  last  year  by  the 
United  Kingdom’s  largest  telecom  carrier, 
BT,  says  that  right  now,  it’s  not  the  telecom 
industry’s  role  to  stop  bad  traffic.  But  if  a 
telecom  company  can  make  it  profitable  to 
do  so,  that  role  will  change.  And  fast. 

“They’ll  do  it  if  it  makes  them  money,” 


Cover  Story  |  Network  Security 


says  Schneier,  chief  technology  officer  of  BT 
Counterpane.  Until  then,  he  believes,  Inter¬ 
net  carriers  have  little  incentive  to  clean 
up  the  Internet.  Why  should  they  bother? 
“Bandwidth  is  cheap.” 

Telcos  as  Security 
Companies 

THE  IDEA  of  a  telecommunications 
company  acting  as  a  security  provider  is 
nothing  new.  For  years,  telephone  compa¬ 
nies  and  Internet  service  providers  have 
used  their  existing  relationships  with  busi¬ 
nesses  to  spread  security  services  onto  the 
network  connectivity  that’s  their  bread  and 
butter.  Gene  McLean,  CSO  of  Telus,  the 
$7  billion  Canadian  telecom  company,  says 
security  services  have  always  been  part  of 
his  company’s  offerings;  they’ve  just  never 
really  been  marketed.  “When  we’re  dealing 
with  big  clients  or  government  contracts, 
then  we  put  on  our  security  consulting  hat,” 
McLean  says  simply.  “We  look  at  it  as  a  dif¬ 
ferentiator.” 

Typically,  telecom  companies  sell  virtual 
private  networks  (VPNs)  and  take  over  such 
rote  tasks  as  managing  firewalls,  intrusion 
detection  systems  or  other  customer  prem¬ 
ises  equipment.  This  frees  up  business 
customers  to  keep  lean  staffs  or  focus  on 
more  strategic  operations.  While  stand¬ 
alone  managed  security  service  providers 
(MSSPs)  have  the  same  capabilities  and, 
arguably,  deeper  security  expertise,  telecom 
companies  have  one  gigantic  advantage: 
They  are  already  on  the  payroll. 

“Telcos  don’t  find  themselves  in  the  posi¬ 
tion  of  having  to  market  the  way  that  pure- 
plays  do,”  says  Loren  Rudd,  an  industry 
analyst  at  Frost  &  Sullivan,  a  research  and 
consulting  company.  “The  pure-plays  have 
to  evangelize  on  almost  every  sale  that  they 
make.  It’s  easy  for  the  enterprises  who  are 
migrating  to  managed  security  services  to 
call  up  their  telco  [and  add  a  feature]  like 
you  were  adding  a  cable  channel  to  your 
TV.” 

That’s  basically  what  Dan  Antion  of 
American  Nuclear  Insurers  did  when  he 
chose  to  outsource  security  to  AT&T,  which 
had  been  his  phone  and  Internet  vendor  for 
seven  years.  “It  just  seemed  to  make  sense,” 


PHOTO  BY  PETER  MURPHY 


July/August  2007  www.csoonline.com  29 


Cover  Story  |  Network  Security 


3  Ways  to  Drive 
on  the  Internet 

Yes,  still  some  mileage  left  in 
the  “information  superhighway’ 
metaphor 


What’s  the  difference  between  the  current  way  the 
Internet  works,  a  typical  outsourcing  arrange¬ 
ment  and  the  intelligent  network  that  would  result 
from  an  extreme  version  of  in-the-cloud  managed  security? 
Andrew  Odlyzko  of  the  University  of  Minnesota's  Digital 
Technology  Center  offers  this  comparison: 

CURRENT  SYSTEM:  You  have  a  car,  and  the  network 
provider  maintains  the  roads. 

ON-THE-EDGE  OUTSOURCING:  You  have  a  car,  and  the 
network  provider  maintains  the  roads  and  changes  your  oil 
and  filter  for  you. 

INTELLIGENT  NETWORK:  Your  car  becomes  a  dumb 
carriage  pulled  by  hooks  installed  under  the  pavement.  It's 
safer,  but  you’re  limited  in  what  you  can  do.  -S.D.S. 


says  Antion,  VP  of  informa¬ 
tion  services  at  the  Glaston¬ 
bury,  Conn.-based  underwriter 
for  the  nuclear  power  industry. 

“We'd  been  through  a  lot  of  proj¬ 
ects  with  them.” 

Given  the  middling  need  for 
marketing,  it  shouldn’t  be  sur¬ 
prising  that  few  people  noticed 
when  the  telecom  companies 
overtook  most  of  the  pure- 
plays  in  terms  of  market  share 
for  security  services.  According 
to  Frost  &  Sullivan,  three  of  the 
eight  largest  MSSPs  in  North 
America  are  telecom  compa¬ 
nies:  AT&T,  Sprint  and  Veri¬ 
zon.  Three  more  are  IT  services 
companies— Getronics,  IBM 
and  VeriSign— that  have  gotten 
big  in  the  MSSP  space  mostly 
by  eating  up  smaller  pure-plays 
(most  notably  IBM’s  purchase 
of  Internet  Security  Systems 
earlier  this  year).  Until  recently, 

Cybertrust  and  Symantec  were 
the  last  two  large  MSSPs  with 
an  information  security  focus. 

Symantec,  though,  is  position¬ 
ing  itself  more  as  a  purveyor  of 
“infrastructure  software,”  and 
the  pending  purchase  by  Veri¬ 
zon  of  Cybertrust  further  nar¬ 
rows  the  field.  (See  chart  on 
Page  33  for  details.) 

The  market  is  still  frag¬ 
mented,  though,  with  plenty  of  room  for 
competition.  Frost  &  Sullivan  estimates 
that  these  large  companies  combined  have 
only  40  percent  of  the  MSSP  market— a 
market  it  expects  to  grow  about  20  percent 
a  year  through  2010.  “I  personally  think 
that,  if  implemented  correctly,  telcos  are  a 
good  match  for  the  managed  security  mar¬ 
ket,”  Rudd  says.  “The  growth  trajectory  of 
MSSPs  has  proven  itself  in  recent  years.  It’s 
not  speculative  for  a  telco  to  get  involved.” 

Telecom  companies  have  reach  and 
resources  in  their  favor,  of  course.  But  “it’s 
not  just  economies  of  scale”  that  give  them 
an  advantage,  Gartner’s  Pescatore  says.  “It’s 
that  the  carriers  have  access  to  information 


that  the  individual  enterprise  doesn’t.” 

That’s  the  information  that  AT&T  CSO 
Amoroso  sees  through  his  window  on  the 
Internet  in  northern  New  Jersey.  And 
that’s  the  information  that  he’s  hoping  to 
use  to  move  AT&T’s  security  business  from 
one  focused  on  simply  managing  custom¬ 
ers’  security  equipment,  to  one  that’s  truly 
cleaning  up  the  pipes  and  plumbing  of  the 
Internet.  “It’s  like  the  blind  men  and  the 
elephant,”  Amoroso  says,  referencing  the 
folktale  of  the  blind  men  who  each,  upon 
feeling  a  different  part  of  an  elephant,  draw 
vastly  different  conclusions  about  the  crea¬ 
ture  before  them.  “When  you  sit  as  one  node 
on  the  network,  you  don’t  have  context.  The 


service  provider  sits  right  smack 
in  the  middle  of  the  context  and 
has  a  vantage  point  that  nobody 
else  can  have.”  His  favorite 
example  is  that  AT&T  security 
analysts  knew  about  the  2003 
Slammer  worm  before  it  hit, 
because  of  strange  traffic  going 
to  port  1434. 

“I’ve  looked  at  this  traffic,” 
Amoroso  continues,  “and  real¬ 
ized  that  there’s  just  a  gold  mine 
of  security  information.” 

Virtual  Security 

THE  CENTERPIECE  of 
AT&T’s  strategy  to  build  security 
into  the  network— dubbed  “in- 
the-cloud”  security  services— is 
a  concept  that’s  gotten  increas¬ 
ing  attention  over  the  past  cou¬ 
ple  of  years.  Right  now,  as  CSOs 
are  all  too  aware,  most  compa¬ 
nies  purchase  and  manage  (or 
outsource  the  management  of) 
a  slew  of  security  devices,  from 
antivirus  software  to  firewalls 
to  intrusion  detection  and  pre¬ 
vention  systems.  With  an  in-the- 
cloud  setup,  however,  many  of 
these  tasks  can  be  handled  using 
a  virtual  device  administered  by 
an  MSSP.  It’s  basically  a  soft- 
ware-as-a-service  model,  with 
monthly  service  fees  replacing 
product,  installation  and  main¬ 
tenance  costs.  Gartner  projects  that  as  early 
as  2008,  30  percent  of  managed  security 
service  revenue  could  come  from  services 
delivered  in  the  cloud. 

Telecom  companies  aren’t  the  only  ones 
pushing  for  this  model.  Antispam  compa¬ 
nies  such  as  MessageLabs  and  Postini  have 
adopted  it,  as  have  pure-play  MSSPs  such 
as  Perimeter  eSecurity  and  VigilantMinds 
(which  recently  merged  with  another  MSSP, 
Solutionary).  “Think  of  us  like  the  water 
utility,”  says  Brad  Miller,  CEO  of  Perimeter 
eSecurity,  a  $24  million,  venture-capital- 
backed  company  in  Milford,  Conn.,  that  used 
to  call  itself  Perimeter  Internetworking.  “You 
could  have  one  big  water  utility  that  cleans 


30  www.csoonline.com  July/August  2007 


the  water,  or  every  house  could  have  its  own 
water  filter.  Which  way  is  more  efficient?” 
Obviously,  Miller  thinks  the  former. 

A  security  company  like  Perimeter  eSecu- 
rity  has  to  either  partner  with  telecom  com¬ 
panies  (which  it  does),  or  convince  direct 
customers  to  route  all  their  Internet  traf¬ 
fic  first  to  Perimeter  and  then  back  to  their 
enterprise  (which  it  also  does).  Telecom 
companies,  on  the  other  hand,  need  only 
to  get  permission  from  existing  custom¬ 
ers  to  filter  the  traffic  that  they’re  already 
handling  anyway.  Rather  than  evaluating  a 
brand-new  contract,  the  CIO,  and  perhaps 
CSO,  are  just  looking  at  making  changes  to 
a  service-level  agreement  and  pricing  for 
bandwidth. 

Although  not  everything  can  be  handled 
at  the  network  level,  AT&T  currently  offers 
several  services  in  the  cloud.  First,  there’s 
the  network-based  firewall,  which  can  be 
accessed  and  configured  through  a  Web 
portal  and  eliminates  the  need  for  a  perim- 


temporarily  block  traffic  to  the  affected 
port.  Right  now,  most  of  AT&T’s  security 
customers  still  favor  handling  things  the 
old-fashioned  way,  by  turning  over  the  man¬ 
agement  of  what’s  known  in  industry  lingo 
as  customer  premises  equipment  (CPE), 
such  as  firewalls.  One  customer  CSO  spoke 
with  didn’t  even  seem  aware  that  AT&T  is 
cheerleading  the  in-the-cloud  model,  and 
AT&T  says  that  only  about  10  percent  of  its 
devices  are  handled  in  the  cloud.  But  that’s 
changing. 

For  instance,  the  company  says  that 
the  number  of  virtual  firewalls  it  manages 
has  been  growing  at  a  compounded  rate  of 
65  percent  to  75  percent  annually  over  the 
past  three  years  and  has  already  passed  the 
halfway  point.  “The  shift  is  starting  to  hap¬ 
pen  pretty  rapidly,”  says  Stan  Quintana,  vice 
president  of  AT&T  Security  Services.  He 
projects  that  five  years  from  now,  the  ratio 
of  in-the-cloud  devices  to  CPE  will  almost 
have  flipped,  with  a  full  80  percent  of  ser- 


the  same  service  [Verizon  customers]  could 
get  on  their  own,”  Verizon  Business  CISO 
Sara  Santarelli  says,  “but  they’re  only  inter¬ 
acting  with  Verizon’s  customer  service.” 

The  second,  faster-growing  in-the-cloud 
service  at  Verizon  is  DoS  protection,  in 
which  Web  traffic  is  filtered  for  spikes  of 
malicious  activity.  “Things  like  DoS  mitiga¬ 
tion  and  detection  are  far  exceeding  indus¬ 
try  growth  expectations  across  MSSPs,” 
Santarelli  says.  “A  lot  of  customers  keep 
traffic  running  through  our  [DoS  attack] 
mitigation  units  all  the  time,  just  as  added 
insurance.” 

None  of  which  should  be  much  of  a  sur¬ 
prise,  given  that  companies  such  as  Gartner 
suggest  that  customers  demand  DoS  pro¬ 
tection  from  their  connectivity  provider. 
“That’s  been  our  recommendation,”  Pesca- 
tore  says.  “Whoever  you  choose  for  your 
bandwidth,  tell  them,  ‘I  don’t  want  the  raw 
bandwidth  costs.  Give  me  your  price  for 
DoS-protected  bandwidth,  and  I’ll  compare 


Gartner  analyst  John  Pescatore  estimates 
that  telecom  companies  are  getting  about 
10%  to  20%  additional  revenue  by  adding 
security  filtering  to  connectivity  charges. 


eter-based  firewall.  Second,  there’s  defense 
against  DoS  attacks.  With  this  setup,  when 
a  customer’s  Web  traffic  reaches  a  certain 
threshold,  AT&T  diverts  the  traffic  to  scrub¬ 
bers  that  filter  out  the  bad  traffic  and  direct 
the  good  to  the  company’s  website.  Third, 
there’s  e-mail  security,  where  AT&T  uses 
third-party  software  to  filter  out  viruses 
and  spam— typically  at  least  80  percent  of  a 
company’s  inbound  e-mail  traffic.  A  similar 
Web  security  service  screens  incoming  Web 
and  instant-message  traffic  for  malware. 
Finally,  a  family  of  services  called  Inter¬ 
net  Protect  notifies  customers  of  unusual 
Internet  activity— the  junk  on  the  screens 
at  AT&T’s  network  operations  center— and 
makes  recommendations.  For  instance,  if 
technicians  see  early  indications  of  a  new 
worm,  they  may  suggest  that  a  customer 


vices  handled  virtually. 

Even  before  the  announcement  that  it 
would  acquire  Cybertrust,  competitor  Veri¬ 
zon  was  saying  that  its  managed  security 
service  offerings  were  growing  at  a  fast  clip 
of  about  67  percent  a  year,  with  two  in-the- 
cloud  services  similar  to  AT&T’s  offerings 
proving  to  be  especially  popular.  While  the 
Cybertrust  acquisition  doesn’t  add  to  Ver¬ 
izon’s  in-the-cloud  offerings,  a  spokesper¬ 
son  says,  it  might  give  the  company  more 
options  for  adding  cloud-based  functions 
later  on. 

One  of  those  already  successful  services 
is  e-mail  filtering,  in  which  inbound  e-mail 
is  scrubbed  by  four  antivirus  engines  and 
spam  is  deleted  through  a  partnership  with 
e-mail  security  company  MessageLabs 
before  being  passed  on  to  the  customer.  “It’s 


you  with  others  on  that  basis— not  just  on 
who  sells  me  the  cheapest  bits  per  second.’” 

Both  AT&T  and  Verizon  declined  to  pro¬ 
vide  any  specifics  about  revenue  for  their 
security  operations,  but  Pescatore  estimates 
that  right  now,  telecom  companies  are  get¬ 
ting  about  10  percent  to  20  percent  addi¬ 
tional  revenue  by  adding  security  filtering 
to  connectivity  charges.  The  question  is  how 
long  that  will  last.  “At  some  point,”  Pesca¬ 
tore  predicts,  “one  of  them  is  going  to  say, 
‘Hey,  we’ll  give  you  that  DoS  protection  for 
free  if  you  switch  from  them  to  us.’” 

Indeed,  much  of  the  industry’s  shift  to 
security  services  seems  more  about  staying 
competitive  than  about  making  buckets  of 
money.  “It’s  not  a  great  portion  of  our  reve¬ 
nue,  but  it’s  strategic  to  our  overall  revenue,” 
Quintana  explains.  “When  customers  are 


July/August  2007  www.csoonline.com  31 


Cover  Story  |  Network  Security 


evaluating  AT&T  versus  vendor  A,  B  or  C, 
our  security  portfolio  acts  as  a  differentiator 
to  pull  through”  the  sale. 

But  Will  It  Work? 

LONGER  TERM,  however,  it  remains 
unclear  whether  customers  will  really 
decide  in  droves  to  turn  over  their  security 
to  telecom  companies— or  to  anyone.  For 
one  thing,  not  everything  can  happen  in 
the  cloud.  Even  if  an  Internet  carrier  scans 
incoming  e-mails  for  viruses,  for  instance, 
the  company  still  needs  a  desktop  applica¬ 
tion  to  guard  against  malicious  code  intro¬ 
duced  by  USB  drives  or  other  portable 
devices.  What’s  more,  the  Fortune  1000 
customers  that  large  telecom  and  IT  com¬ 
panies  have  historically  courted  are  likely  to 
have  contracts  with  multiple  telecom  com¬ 
panies  for  reasons  of  redundancy,  and  also 
tend  to  want  security  devices  onsite  that 
they  can  configure  on  a  moment’s  notice. 
The  outsourcing  model  may  be  better  suited 
to  small  and  midsize  businesses  that  can’t 
afford  to  hire  round-the-clock  security  and 
IT  staff— and  even  they  may  be  reluctant  to 
give  up  their  boxes  and  blinking  lights  and 
move  to  a  virtual  model. 

At  Visions  Federal  Credit  Union,  VP  and 


CIO  Tom  Hull  decided  to  turn  over  24/7 
security  monitoring  to  Perimeter  eSecurity, 
but  still  keep  the  company’s  own  firewalls. 
“I  think  there  is  a  hard  sell  there,”  says  Hull 
(whose  Endicott,  N.Y.-based  company  has 
just  400  employees  and  annual  sales  of 
$80  million)  of  the  in-the-cloud  model.  “We 
still  retain  their  help  in  managing  the  fire¬ 
walls,  but  we  didn’t  want  to  rely  on  the  sched¬ 
ule  of  a  third  party  to  institute  any  changes 
in  our  environment.  Plus,  as  it  relates  to  any 
outages,  downtime,  system  maintenance  or 
things  of  that  matter,  that  was  another  thing 
we  could  not  relinquish  control  of.” 

In  London,  AT&T  customer  Martin  Joy 
also  decided  against  AT&T’s  virtual  devices. 
“I’m  not  keen  to  see  a  device  on  my  premises. 
The  important  thing  is  to  make  sure  the 
technology  makes  sense  and  delivers  what 
we  want,”  says  Joy,  CIO  of  Control  Risks,  a 
$219  million  risk  consultancy.  Nevertheless, 
he  felt  that  his  business  needs  were  best  met 
by  turning  over  management  of  firewalls 
and  other  devices  to  AT&T,  while  keeping 
his  antispam  function  handled  in  the  cloud 
by  a  separate  e-mail  security  company.  For 
him,  it  was  a  question  of  one-stop  shopping 
versus  what  he  perceived  as  best-of-breed. 

On  a  broader  scale,  it’s  unclear  whether 


home  consumers  will  ever  want  to  sign  up 
for  a  “clean”  Internet.  AT&T  is  testing  how 
it  could  roll  out  a  version  of  its  corporate 
security  offerings  to  home  customers,  but 
already  executives  have  concluded  that  even 
its  target  audience— parents  of  school-aged 
children— might  not  be  content  with  just  a 
Disneyfied  version  of  going  online.  “Maybe 
Dad  wants  to  do  online  gambling  but  keep 
teens  away  from  it,”  Amoroso  says.  “We’re 
just  trying  to  create  something  people  will 
like  and  that  matches  what  people  want  to 
do.”  That  will  likely  involve  different  ver¬ 
sions  of  the  Internet,  perhaps  delivered  to 
homes  based  on  who’s  at  the  computer— a 
far  cry  from  really  cleaning  up  the  junk  in 
the  pipes  of  the  Internet. 

For  now,  and  maybe  for  the  long  run, 
companies  like  AT&T  will  have  to  continue 
to  make  careful  decisions  about  what  traffic 
they  can  safely  delete  without  violating  their 
service-level  agreements  with  customers  or 
overstepping  their  bounds  as  common  car¬ 
riers  that  just  pass  bits  from  left  to  right. 
Amoroso  says  that  AT&T  can  and  does 
delete  malicious  traffic  that  will  affect  its 
infrastructure.  It  also  deletes  e-mail  traffic 
coming  from  known  blacklists  of  spammers 
and  blocks  port  25  on  its  DSL  lines  unless 
a  customer  requests  otherwise.  (Amoroso 
estimates  that  75  percent  of  spam  comes 
from  compromised  home  PCs,  usually  on 
port  25,  which  is  not  the  port  that  a  typical 
DSL  subscriber  uses  for  outbound  e-mail.) 
But  for  the  most  part,  AT&T  can  do  so  only 
on  behalf  of  a  customer— not  on  behalf  of 
the  Internet  at  large. 

“I  don’t  think  there’s  a  single  carrier  that 
would  do  that,  only  because  that’s  pretty 
presumptuous,”  Amoroso  says.  “If  there 
was  some  general  council  in  Geneva,  some 
tribunal  that  decided  all  carriers  must  do 
the  following,  it  would  be  easy  enough  to 
do.  But  I  don’t  think  that’s  a  role  that  the 
carrier  has  been  asked  to  do  or  would  be 
comfortable  doing.” 

Even  deleting  the  most  egregious  traffic 
can  raise  issues.  Amoroso  says  there  have 
been  cases  where  AT&T  terminated  a  por¬ 
tion  of  an  agreement  with  a  customer  who 
was  on  the  blacklist  of  spammers— in  other 
words,  a  customer  whose  every  outgoing 


Pipe  Dreams? 

If  a  security  incident  occurs,  is  your  MSSP 
liable  for  the  damages?  Not  likely. 

So  you  decide  to  get  rid  of  your  boxes  and  blinking  lights  and  have  your  telecom 
provider  handle  security  in  the  cloud— and  something  bad  gets  through  any¬ 
way.  Can  you  hit  up  your  managed  security  service  provider  for  damages? 
Hardly.  “There  is  no  one  in  the  industry  that  will  take  on  a  liability  SLA,”  says  Stan 
Quintana,  vice  president  of  AT&T  Security  Services.  “What  the  industry  is  doing,  how¬ 
ever,  is  putting  in  place  SLAs  to  compensate  or  give  back  some  of  the  fees." 

John  Pescatore,  a  VP  at  Gartner,  compares  this  arrangement  with  the  contract 
home  buyers  sign  when  they  have  a  house  inspection  done.  “When  you  go  to  buy  a 
house,  you  have  to  get  a  termite  inspection,”  he  explains.  “You  read  through  all  the 
contract  and  it  says,  at  the  bottom,  even  if  we  say  there  are  no  termites,  if  your  house 
falls  down  the  next  day  [because  of  termites],  we’ll  give  you  back  the  $49  that  you 
paid  for  the  inspection.” 

As  far  as  collecting  any  more  money  for  damages  than  the  service  fees  you  paid  to 
an  MSSP,  Pescatore  says,  “you'd  need  better  lawyers  than  theirs,”  -S.D.S. 


32  www.csoonline.com  July/August  2007 


e-mail  AT&T  would  normally 
delete. 

Understandably,  AT&T  wants 
to  distance  its  security  opera¬ 
tions  from  the  net  neutrality 
controversy  as  much  as  possible. 

After  one  interview  with  CSO, 
a  public  relations  professional 
called  to  emphasize  that  clean¬ 
ing  up  traffic  for  security  reasons 
is  entirely  different  from  seg¬ 
menting  different  types  of  traf¬ 
fic  into  high-speed  lanes.  But  the 
fact  remains  that  both  activities 
involve  value  judgments  about 
which  traffic  deserves  to  go 
where  and  when.  And  that  fur¬ 
ther  complicates  Amoroso’s  lofty 
version  of  the  “cleaner”  Internet 
of  AT&T’s  future. 

“Filtering  out  traffic  makes 
the  carriers  less  neutral,  no 
doubt  about  it,”  Oxford  Uni¬ 
versity’s  Zittrain  says.  And  the 
more  the  carriers  do  so,  he  pre¬ 
dicts,  the  more  difficult  it  may 
become.  “They  are  holding  back 
not  because  of  some  ideologi¬ 
cal  principle  like  a  belief  in  net 
neutrality,”  Zittrain  continues, 

“but  because  they  see  no  reason 
to  get  into  a  customer-service 
nightmare  of  quarantining  their 
compromised  subscribers  and 
then  helping  them  to  fix  their 
machines.” 

Technically  speaking,  Inter¬ 
net  carriers  such  as  AT&T,  look¬ 
ing  out  at  their  charts  of  DoS 
attacks  and  spam  and  unfolding 
worm-  and  bot-related  activity, 
may  indeed  be  in  the  best  posi¬ 
tion  to  fix  the  Internet.  But  actually  doing 
so,  outside  the  prescribed  version  of  the 
Internet  that  businesses  want  to  make  avail¬ 
able,  simply  may  not  be  a  task  that  they  are 
in  a  position  to  accomplish. 

“People  want  simplicity,  but  they  also 
want  flexibility,”  says  Andrew  Odlyzko, 
director  of  the  Digital  Technology  Center  at 
the  University  of  Minnesota,  who  worked 
in  research  at  AT&T  Bell  Labs  for  26  years. 


Hie  Eight  (Make  That 
Seven)  Largest  MSSPs 

The  number  of  managed  security  service  providers  (MSSPs) 
continues  to  shrink,  while  individual  players  grow  larger — 
as  evidenced  by  Verizon’s  announcement  in  May  that  it  was 
acquiring  Cybertrust.  An  overview  of  the  seven  companies 
with  the  largest  MSSP  market  share  in  North  America, 
according  to  the  research  company  Frost  &  Sullivan. 


COMPANY 

2006 

SALES 

2006  NET 

INCOME 

KEY  SECURITY  ACQUISITIONS 

AT&T 

Telecommunications 

San  Antonio 

$63  billion 

$7.4  billion 

None 

Getronics 

IT  services 

Amsterdam 

$3  billion* 

$4.7  million* 

RedSiren  (MSSP)  in  2005  for  an  undisclosed 
amount 

IBM 

IT  consulting,  software 
and  hardware 

Armonk,  N.Y. 

$91  billion 

$9.5  billion 

Internet  Security  Systems  (MSSP)  for  about 
$1.3  billion  in  2006;  Consul  (security  and 
compliance  software)  in  2007;  Watchfire  (security 
and  compliance  testing  software)  in  2007 

Sprint  Nextel 

Telecommunications 

Reston,  Va. 

$41  billion 

$1.3  billion 

None 

Symantec 

Information  security 
Cupertino,  Calif. 

$4.1  billion 

$157  million 

Numerous  acquisitions  over  the  past  five  years, 
including  @Stake  (consulting),  Brightmail 
(messaging  security),  IMIogic  (instant  messaging 
security),  Platform  Logic  (intrusion  prevention), 
Recourse  Technologies  (intrusion  detection)  and 
Riptech  (MSSP) 

VeriSign 

Infrastructure  services 
Mountain  View,  Calif. 

$1.7  billion* 

$407  million* 

Guardent  (MSSP)  in  2004  for  $140  million; 
iDefense  (security  intelligence)  in  2005  for 
$40  million 

Verizon 

Communications 

Telecommunications 

New  York  City 

$88  billion 

$6.2  billion 

In  the  process  of  acquiring  Cybertrust,  which  by 
itself  was  one  of  the  eight  largest  MSSPs  and  was 
formed  in  the  2004  merger  of  Betrusted  (identity 
management),  TruSecure  (risk  management)  and 
Ubizen  (MSSP). 

SOURCES:  HOOVERS,  COMPANY  RECORDS 


*  2005  SALES  AND  NET  INCOME 


“That’s  the  conflict.  If  the  telecom  environ¬ 
ment  were  stable  and  predictable,  then  the 
smart  Ma  Bell  network”— in  which  Internet 
users  are  carried  from  one  clean  and  safe 
place  to  another— “would  make  a  lot  of 
sense.  People  don’t  want  to  worry  about  the 
complexity  of  spyware,  viruses,  corrupt  files. 
But  they  want  new  services,  like  YouTube. 
So  you  have  this  tension.  It’s  there,  and  it 
will  continue  to  be  there. 


“I  don’t  expect  that  AT&T  or  any  other 
carrier  can  provide  a  foolproof  solution  to 
computer  insecurity,”  Odlyzko  continues. 
But  he  won’t  go  so  far  as  to  say  that  tele¬ 
com  companies  are  just  wasting  their  time, 
either.  “I  think  they  can  do  some  [of  the 
solution]  and  make  money  at  it  too.”  ■ 

Senior  Editor  Sarah  D.  Scalet  can  be  reached  at  sscaletQ 
cxo.com. 


July/August  2007  www.csoonline.com  33 


{  how  to  } 


STAY  COOL 

on  the 


HOT  SEAT 


In  the  event  of  a  crisis  or  a 
security  breach,  the  media 
will  come  calling.  Here’s  your 
playbook  for  making  them 
allies,  not  antagonists. 
By  BobViolino 


IN  THIS  STORY 

Why  honesty  pays 
off  How  to  help 
quash  rumors  Why 
“no  comment”  works 
against  you 


BUSINESSES  DEAL  WITH  CRISES  from  time  to 
time— whether  it’s  an  incident  that  barely  warrants  attention  or 
a  major  event  that  makes  headlines  across  the  country. 

When  something  really  bad  happens,  such  as  a  natural 
disaster  that  forces  a  company  to  evacuate  headquarters  or  a 
security  breach  that  results  in  lost  or  stolen  data,  the  media  will 
come  calling.  How  organizations  deal  with  the  blitz  could  affect 
the  long-term  impact  of  the  crisis.  An  effective  and  constructive 
response  might  help  put  the  company  in  a  positive  light  during  a 
tough  time.  An  ineffective  or  antagonistic  reaction  might  make  a 
disastrous  situation  even  worse. 

Here  are  some  things  organizations  should  and  shouldn’t  do 
when  dealing  with  the  media  after  a  security  incident  or  business 
interrupting  event. 


Do... 

Be  truthful.  When  it  comes  to 
dealing  with  the  media,  honesty  really  is 
the  best  policy.  “One  of  the  most  impor¬ 
tant  things  is  to  try  to  understand  what 
the  media  is  interested  in.  The  media  is 
interested  in  accurate,  truthful  informa¬ 
tion-something  that  will  be  of  interest 
to  their  readership  [or  viewers],’’  says 
Brit  Weber,  program  director  at  the 
School  of  Criminal  Justice  at  Michigan 
State  University  in  East  Lansing,  Mich. 

“If  you  don’t  know  the  answer, 
indicate  that  it’s  information  you  don’t 
know  at  this  point  and  hope  to  [pro¬ 
vide]  later,”  says  Weber,  who  has  worked 
in  various  fields  of  crisis  management 
since  1972. 

At  IT  services  provider  EDS  in  Plano, 
Texas,  “our  whole  approach  to  any  kind 
of  thing  like  a  crisis  is  to  have  open 
transparency;  be  forthcoming  and  tell 
as  much  of  the  story  as  you  can  within 
the  limits  of  the  law  and  good  common 
sense,”  says  Dave  Morrow,  chief  security 
and  privacy  officer,  responsible  for  cor¬ 
porate  crisis  management. 

“Be  as  open  and  communicative  as 
possible,”  Morrow  says.  “I’ve  seen  some 
instances  where  good  or  bad  external 
communications  really  made  the  dif¬ 
ference  between  a  crisis  being  handled 
really  well  or  being  handled  really 
poorly.”  He  cites  the  oft-mentioned  Tyle¬ 
nol  product-tampering  case  of  1982 
as  an  example  of  a  good  practice  in 
dealing  with  the  media. 

“They  were  very  forthcom- 
ing  and  got  ahead  of  the 
curve,”  Morrow  says.  “Tell 
the  truth  and  don’t  try 
%  to  lie  because  a  lie  will 
*  come  back  to  bite 

you.”  He  says  EDS  in 
M  the  summer  of  2006 
K  had  to  deal  with  a  case 
m  of  a  stolen  laptop  that 


contained  sensitive  data.  The  company 
told  clients  and  the  media  exactly  what 
happened,  Morrow  says. 

Provide  useful  information. 

Going  into  a  shell  during  a  crisis  isn’t 
wise,  experts  say.  “We  hear  people 
repeatedly  say  ‘no  comment.’  That’s  not 
going  to  make  the  incident  go  away  nor 
the  media,”  Weber  says. 

Instead,  organizations  should  be  as 
forthcoming  as  possible  with  informa¬ 
tion  about  the  specific  incident,  and 
provide  any  relevant  background  infor¬ 
mation  that  will  help  the  media  put  the 
situation  in  proper  context.  “Tell  them 
what  you  do,”  Weber  says.  “Provide  a 
fact  sheet  or  release  that  explains  what 
your  business  does.” 

The  process  of  dealing  with  the  media 
during  a  major  crisis  should  be  managed 
by  a  crisis  management  team  or  similar 
function,  to  ensure  that  accurate  and  up- 
to-date  information  gets  out. 

Plan  for  crisis  management 
and  include  media  relations. 

Having  a  plan  in  place  for  how  to 
handle  a  crisis  and  the  accompanying 
media  coverage  is  better  than  dealing 
with  these  things  on  the  fly. 

“Think  through  options  and  course 
of  action  before  you  need  it,”  says  Tess 
Koleczek,  chief  privacy  officer  at  E-Loan, 
a  financial  services  firm.  Those  involved 
in  managing  media  dealings  in  a  crisis 
should  include  the  CEO,  head  of  the 
division  involved  and  representatives 
from  legal  and  public  relations,  Kolec¬ 
zek  says. 

Jonathan  Bernstein,  president  of 
consultancy  Bernstein  Crisis  Manage¬ 
ment,  agrees  that  preparation  is  crucial. 
“The  biggest  mistake  is  failure  to  plan. 
That  has  a  cascading  effect  in  terms  of 
the  types  of  errors  that  occur,”  he  says. 
Without  planning,  “you  can’t  respond  as 
quickly  and  you  won’t  be  prepared  for 
what  to  say  and  do  in  advance.” 


People  from  public  or  media  rela¬ 
tions  should  be  part  of  the  planning 
process  from  the  beginning,  says  Mor¬ 
row.  “Today  we  had  an  exercise  that  we 
do  quarterly  on  some  [crisis]  scenario, 
and  we  included  the  internal  and  exter¬ 
nal  corporate  communications  folks,” 
Morrow  says.  “We  have  to  let  them 
know  how  things  are  handled.” 

Train  your  spokespeople. 

“One  of  most  important  things  is  that 
the  person  who’s  talking  with  the  media 
should  be  someone  who  has  gone 
through  some  type  of  training  on  deal¬ 
ing  with  the  media  and  providing  what 
they  need,”  says  Weber. 

In  a  crisis,  many  organizations 
automatically  put  the  CEO  in  front  of 
the  media,  Weber  says.  But  if  the  chief 
executive  or  other  designated  spokes-  i 

person  isn’t  comfortable  or  familiar 
with  reporters,  cameras  and  micro¬ 
phones,  that  could  backfire. 

“All  spokespeople  need  to  be  trained 
to  deal  with  friendly  interviews  and 
in-your-face  ambush  interviews,”  says 
Bernstein.  “It’s  not  an  intuitive  skill.” 

Establish  an  ongoing 
relationship.  Organizations  £j 

that  keep  media  outlets— such  as  local  f 

newspapers  and  TV  stations— informed 
on  an  ongoing  basis  will  be  less  likely 
to  have  misunderstandings  when  a 
crisis  arises.  They  might  even  rely  on 
the  media  for  help  in  disseminating 
information. 

“It’s  very  important  for  corporations 
to  have  a  collaborative  or  partnership 
process  with  the  [local]  media,”  says 
Weber.  “Don’t  wait  for  an  incident  to 
happen.” 

At  EDS,  “we  have  to  have  a  certain 
amount  of  trust  developed  between 
the  various  members  of  the  media  and 
us,”  says  Morrow.  “If  something  goes 
wrong,  I  need  the  media  to  help  me  get 
the  word  out  to  people  and  institutions. 


July/August  2007  www.csoonline.com  35 


Crisis  Management 


If  we  have  an  incident  at  one  of  our 
facilities,  we  need  [the  media]  to  get 
the  word  out  because  I  certainly  can’t 
do  that.” 

Don’t... 

Treat  the  media  as  an 

enemy.  This  a  common  response— 
and  a  poor  one,  experts  say.  It’s  natural 
to  circle  the  wagons  during  a  crisis  and 
view  the  media  as  a  threat.  But  often¬ 
times  the  more  an  organization  shuts 
out  the  media,  the  more  reporters  and 
editors  speculate  on  what  happened  or 
what’s  still  happening  during  a  crisis. 

Reporters  will  look  for  sources  inside 
and  outside  the  company,  who  might 
provide  inaccurate  or  outdated  informa¬ 
tion.  “If  I’m  that  media  person  and  if  I 
perceive  that  you’re  hiding  information, 
I’m  going  to  be  interested  in  trying  to 
find  why  you’re  hiding  it,”  says  Weber. 
“Treating  the  media  as  an  enemy  is  very 
negative.  Even  if  things  are  not  reported 
like  you  [want  them  to  be],  it  doesn’t 
mean  the  relationship  is  broken  at  that 
point.” 

E-Loan  doesn’t  see  the  media  is 
an  enemy,  Koleczek  says.  “We  take 
the  opposite  approach  and  actually 
believe  that  the  media  would  be  a  good 
resource  to  communicate  with  our  con¬ 
sumers,”  she  says.  “We  would  welcome 
the  media  to  share  how  we  are  handling 
the  problem  and  to  let  consumers  know 
what  steps  we  are  taking  to  rectify  the 
situation.” 

Let  the  media  be  the  only 

SOUrCe  Of  neWS.  Although  news 
media  strive  to  get  accurate  information 
to  the  public,  it’s  important  that  organi¬ 
zations  not  rely  solely  on  media  outlets 
to  tell  the  story. 

“Even  though  the  media  is  telling 
their  version,  you  as  a  corporation 
still  need  to  communicate  with  your 


Bloggers:  The 
“New*  Media 

The  definition  of  “media”  has  broad¬ 
ened  in  recent  years.  Organizations  not 
only  have  to  deal  with  traditional  news 
outlets  such  as  newspapers,  magazines 
and  broadcast  stations,  they  also  must 
address  an  array  of  cable  news  channels, 
websites  and  bloggers. 

Bloggers,  in  particular,  have  become 
an  intriguing  new  form  of  media.  Just 
about  anyone  with  a  computer  and  Web 
access  can  start  a  blog  and  write  about 

"On  the  one  hand,  [bloggers]  can  be  a  problem  since  so  many  do  not  take 
the  responsibility  seriously”  and  don’t  fact  check,  says  Tess  Koleczek,  chief 
privacy  officer  at  E-Loan,  a  financial  services  firm.  “On  the  other  hand,  most 
bloggers  show  a  remarkable  amount  of  passion  and  can  be  a  tremendous 
asset  by  serving  as  watchdog.” 

Experts  say  there  are  ways  organizations  can  address  the  growing 
blogosphere.  “With  search  engines  it’s  very  easy  to  get  a  pretty  good  handle 
on  blogs  and  websites,"  says  Jonathan  Bernstein,  president  of  consultancy 
Bernstein  Crisis  Management. 

Bernstein  says  there  are  services  companies  can  subscribe  to  that  help 
them  search  for  particular  blogs  that  look  at  the  organization  regularly.  “It’s 
an  easy  chore— a  great  chore  to  give  to  an  intern,”  he  says.  “They  can  produce 
reports  that  management  can  look  at.  How  to  interact  with  a  blogger  has  to 
be  decided  on  a  case-by-case  basis.  Blogs  are  particularly  important  to  watch 
because  they  can  quickly  move  to  page  one  in  a  search."  -B.V. 


Tess  Koleczek, 
chief  privacy 
officer  at  E-Loan 


your  organization. 


most  important  resources,”  including 
employees,  vendors  and  shareholders, 
says  Weber.  “Don’t  rely  on  the  media  as 
a  single  source,  even  if  it  is  accurate.  All 
those  [groups]  want  to  hear  from  you.” 

To  help  get  the  word  out,  Weber 
recommends  using  communications 
tools  such  as  employee  newsletters. 

In  addition,  officials  can  make  per¬ 
sonal  appearances  to  groups  such  as 
a  chamber  of  commerce  or  business 
association. 

Forget  your  employees. 

The  people  who  work  at  the  organiza¬ 
tion  must  be  kept  apprised,  as  much 
as  is  reasonable,  during  a  crisis.  Many 
organizations  tend  to  keep  employees 
in  the  dark  during  a  difficult  time,  and 
that’s  a  mistake,  Weber  says. 


“They  all  have  associates  who  want 
to  know”  what’s  going  on  when  there’s  a 
crisis,  Weber  says.  “Employees  will  start 
calling  the  media  if  there’s  a  major  crisis 
like  an  evacuation.  That’s  why  it’s  vitally 
important  to  tell  your  employees  what’s 
going  on,”  so  they  don’t  give  out  wrong 
information. 

Morrow  says  EDS  employees  who 
aren’t  authorized  to  communicate  with 
the  media  are  instructed  not  to  provide 
information.  “We’ve  been  making  our 
employees  very  aware  that  there  are  cer¬ 
tain  ways  to  treat  requests  for  informa¬ 
tion,  and  who  to  call,”  he  says.  “We  don’t 
let  employees  respond  to  the  media  on 
their  own.”  ■ 


Bob  Violino  is  a  freelance  writer.  Send  feedback  to 
csoletters@cxo.com. 


36  www.csoonline.com  July/August  2007 


PHOTO  BY  RON  HOLTZ 


It’s  OK  to  show  off  to  your 
friends  that  you  were  in  CSO. 


Spyware  Up.  Incident  Reports  Down  in  Second  Annual  "E-Crime  Walcli  Survey" 


PEOPLE  POWER 

Tin  hint  liuvixi* 

oMUInulty  uliwiiwi. 


.XECUl 


iWMtttM  O'Hl  Kir 

Uwwuyriu 
<*e-u>n\  (torn 


emote  'in  nt  typi-, 
c3c  r*‘E  mak#  I  ho  baft 
C50rerriii|»-and 
-vrtul  to  do  abtiilt  H. 


Plotting  a  Path 
To  the  Future 


Learn  why  strategic  planning  matters— 
and  how  to  use  it  to  sharpen  your  security  program. 
.  .  Take  our  live-step  course!  rvt  v 


But  it’s  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  customers 
of  your  editorial  coverage  in  CSO  than  through 
customized  Editorial  Reprints? 

Leverage  the  positive  impact  of  your  editorial 
coverage  by  using  reprints  for  direct  mail 
campaigns,  seminar  promotions,  employee 
communications,  recruiting  and  marketing 


programs.  Let  us  enhance  your  reprints  with  your 
company’s  logo,  address,  and  sales  message. 
Reprints  make  great  SALES  tools  for  trade  shows, 
mailings  or  media  kits. 

And  while  a  framed  copy  of  your  article  will  look 
neat  on  your  wall,  it  will  look  even  better  in  the 
hands  of  your  customers. 


CSO 

The  Resource  for 
Security  Executives 


For  more  information  on  customized  editorial  reprints  in  volume  quantities,  contact: 
Jennifer  Eclipse  at  212.221.9595  x237  or  email  jeclipse@parsintl.com. 

Website:  www.magreprints.com/quickquote.asp 


Pocket 

Protection 


t 

The  facts,  the  scams,  are  real.  The  CIO? 
Not  so  much.  But  here’s  how  organized 
crime  uses  technology  to  make  money. 

As  envisioned  by  Scott  Berinato 


People  call  me  a  lot  of  things. 

Nobody  would  ever  call  me  a 
CIO,  but  after  reading  CSO 
magazine  a  little  bit,  I  guess 
that’s  basically  what  I  am. 
Maybe  I’m  a  little  younger 
than  you.  A  little  more  techy.  I  know  my 
routers  and  code. 

Most  of  the  guys  I  work  with,  they  don’t 
like  computers.  They  get  frustrated.  Lots  of 
times  they  want  to  shoot  their  computers, 
like  that  guy  in  Colorado  did.  I  printed  out 
that  story  and  gave  it  to  one  of  my  guys.  He 
loved  it,  especially  the  part  where  the  guy 
hung  the  dead  computer  on  the  wall  of  his 
bar.  “I  love  this  Colorado  guy,”  he  said.  And 
he  passed  it  around  to  all  the  guys.  “You  have 
to  read  this  story  MIT  gave  me.”  Yeah,  they 
call  me  MIT,  like,  “Let’s  ask  MIT  if  we  can 
set  up  an  online  account”  or  “Maybe  MIT 
can  make  a  website  for  that.”  A  website  for 
what?  For  making  money,  what  else?  Isn’t 
that  why  anyone  sets  up  a  website? 

Yeah,  I  deal  with  the  same  stuff  you  do. 
Same  headaches.  I’m  constantly  replacing 
and  fixing  stuff  and  trying  to  do  whatever 
helps  the  bosses  grow  the  business,  as  you 
call  it. 


t 

Bosses.  I  mean,  bosses  are  the  worst, 
right? 

The  Penny  Stock  Scam 

WE’RE  IN  a  real  boom  right  now.  Credit 
cards.  Gambling.  You  heard  about  that  stock 
deal?  The  one  that  uses  that  new  image 
spam?  This  is  an  old-fashioned  pump-and- 
dump  scam  but  with  a  cool  techno  twist. 

This  wasn’t  mine,  but  I  know  a  guy  who 
knows  the  guy  who  set  it  up.  Here’s  how  he 
worked  it. 

First,  he  rented  a  botnet.  That  was  for 
e-mail  distribution.  He  pays,  I  don’t  know, 
say  $50Gs  for  a  month,  turns  around  and 
promises  the  bot-herder  a  taste  in  exchange 
for  that  month’s  usage  and  some  guaran¬ 
teed  uptime.  You  know,  he  says,  deliver  10 
million  e-mail  messages  for  me  and  I’ll 
guarantee  you  some  back-end  cash. 

So  the  bot-herder  knows  a  kid  who  wrote 
this  absolutely  killer  image  spam  application 
that  creates  the  e-mail  messages.  Pays  him 
a  flat  fee.  I  mean,  the  kid  could’ve  asked  for 
a  lot  more,  but  a  lot  of  these  programmers 
are  pretty  young  and  dumb.  You  wave  some 
cash  and  they  think,  “Flat  screen  TV!”  Any¬ 
way,  he  tells  the  kid  to  make  the  program 


create  advertisements  for  pink  slip  stocks, 
those  unlisted  ones  that  trade  for  pennies.  It 
all  gets  done  in  like  15  minutes  after  they  get 
some  of  the  basic  wording  down. 

So  then  this  guy  sets  up  offshore 
accounts  online  (in  Brazil,  I  think)  to  collect 
the  investments.  His  guys  all  buy  something 
like  10,000  shares  at  30  cents  per.  Then  the 
botnet  goes  to  work.  Starts  mass  mailing 
the  ads  for  the  stocks.  And  the  beauty  part 
is  those  little  messages  get  by  all  the  spam 
filters  because  the  filters  are  looking  for 
text,  but  with  the  image  spam  all  the  filters 
see  is  a  million  different  images,  each  one 
unique,  even  though  they  all  say  the  same 
thing:  Buy  this  stock.  [Editor’s  note:  For 
more  on  image  spam,  go  to  www.csoonline 
. com/read/ 040107/f ea_spam.html. ]  Genius. 
Finally,  enough  people  invest  to  drive  up 
the  price.  Eighty  cents  a  share.  A  buck. 
Two.  Eventually,  our  guys  sell,  make  a  nice 
chunk  of  change,  the  stock  tanks  and  the 
suckers  who  got  in  on  the  e-mail  tip  lose 
their  shirts. 

Like  I  said,  a  classic  pump-and-dump, 
but  back  in  the  day  it  was  a  lot  harder  to  do. 
It  required  a  lot  of  legwork,  relationships 
with  reporters  and  brokers.  Compared  to 


38  www.csoonline.com  July/August  2007 


ILLUSTRATION  BY  PETER  FERGUSON 


Electronic  Crime 


that,  this  is,  like,  nothing. 

I  know  what  you’re  thinking:  Who 
believes  an  anonymous  e-mail  that  says 
such-and-such  company  you’ve  never  heard 
of  is  at  a  quarter  a  share  now  but  is  heading 
to  five  bucks?  Hey,  I  don’t  know,  but  you 
send  out  10  million  messages,  you  get  1,000 
to  invest,  that’s  only,  what?  A  hundredth  of 
a  percent?  I’d  say  the  sucker  population  is 
a  lot  bigger  than  that. 

It  was  a  great  little  business.  One  of 
those  stocks  hit  six  bucks!  But  then  the  Feds 
sniffed  it  out  and  suspended  trading  on 
those  penny  stocks  in  March.  Maybe  when 
things  cool  off,  it’ll  pick  up  again.  By  that 
time,  the  spam  filters  will  probably  have 
adjusted  and  we’ll  have  to  go  back  to  the 
programmers  for  their  latest  bots. 

Everyone  Wants  ID... Just 
Not  Their  Own 

THE  BIG  money  is  in  credentials. 

Look,  the  world  runs  on  credit,  and  what 
you  need  to  get  credit  are  personal  creden¬ 
tials.  That’s  what  everyone  is  after  right  now. 
And  that’s  where  a  lot  of  our  investments 
are:  credentials  for  lines  of  credit. 

That  TJX  thing  last  January?  No,  not  me. 
But  let’s  say  I’ve  had  beers  with  someone 
who  worked  on  that  job.  It  sounds  like  the 
heist  of  the  century,  right?  What,  40  million 
personal  records?  But  really  it’s  pretty  basic 
stuff.  If  you  want  to  get  into  the  credentials 
market,  you  do  three  things:  One,  get  inside 
access  to  someone  who  stores  lots  of  per¬ 
sonal  data.  Retail  is  great  for  that.  Think 
about  how  many  cards  are  swiped  every 
second  at  those  places.  Two,  invest  in  anti¬ 
forensics,  because  once  you’re  in,  you  want 
to  stay  invisible  until  you’re  done.  [Editor’s 
note:  For  more  on  antiforensics,  go  to  www 
.  do.  com/article/1 1 4550.  ] 

Three,  after  you  got  the  credentials, 
behave.  I’ll  explain  that  one  in  a  minute. 

I’m  not  saying  the  TJX  deal  went  down 
this  way,  but  here’s  how  I’d  do  it  based  on 
what  this  guy  told  me. 

Inside  access.  That’s  easy.  You  spread 
some  USB  keys  around.  People  see  them 
and  go,  Cool,  free  dongle!  Only  when  they 
plug  them  in,  a  little  program  installs  some 
bots  or  keyloggers  onto  their  machine.  From 


there,  you  root  around  until  you  get  deeper 
into  the  network.  (There  are  other  ways 
too.  Dumpster  diving  for  paper  records 
and  credit  card  statements.  Paying  off  the 
custodial  staff.  This  stuff  is  as  old  as  time; 
computers  just  make  it  easier.) 

After  gaining  access,  it’s  time  to  invest 
in  antiforensics.  Look,  I  don’t  care  if  they 
can  see  what  I  did  as  long  as  they  can’t  see 
it  was  me  that  done  it.  We  have  this  saying 
here  about  antiforensics:  Make  it  hard  for 
them  to  find  you  and  impossible  for  them 
to  prove  they  found  you.  We’ve  got  a  whole 
bunch  of  software  that  allows  us  to  cover 
our  tracks  and  keep  us  basically  invisible 
while  we’re  inside  someone’s  system.  What’s 
great  is  a  lot  of  antiforensic  tools  are  free. 
They’re  all  over  the  Internet.  We  buy  others, 
like  encryption  programs  and  data  wipers 
like  Evidence  Eliminator.  This  guy  I  had 
beers  with  says  a  few  guys  are  even  experi¬ 
menting  with  ways  to  make  someone  else 
look  guilty.  You  know,  send  the  cops  down 
the  wrong  path. 

At  that  point,  you  install  a  little  program 
that  collects  the  credentials.  Sometimes  we 
use  ’em;  most  of  the  time  we  sell  ’em.  We’ve 
been  working  on  a  subscription  service.  You 
pay  for  access  to  credentials  for  a  certain 
period  of  time.  We  can  get  $1,000  a  month 
or  more  for  a  subscription  pretty  easy.  That 
adds  up. 

But  what  we’ve  run  into— a  big  prob¬ 
lem— is  that  lots  of  guys  get  their  hands 
on  this  information  and  just  start  buying 
stuff.  They  have  no  discipline.  Look  at  TJX. 
Those  guys  got  busted  for  using  the  creden¬ 
tials  they  lifted  to  buy  gift  cards  for,  what, 
like  $20Gs  or  something?  I  mean,  you  buy 
a  $20,000  gift  card,  someone’s  going  to 
notice.  So  don’t  do  Visa’s  job  for  them.  All 


it  takes  is  one  jerk  who  gets  some  credit  and 
buys  a  Bentley  to  take  down  an  entire  busi¬ 
ness.  Find  guys  who  can  wait  to  use  the  cre¬ 
dentials  and  then,  when  they  do,  use  them 
in  a  way  that  looks  normal. 

They  Gamble;  We  Don’t 

RIGHT  NOW,  we’re  setting  up  a  ser¬ 
vice  out  of  Costa  Rica.  It’s  a— how  do  I  put 
it?— it’s  a  high-risk,  high-return  investment 
service  for  sports  fans. 

So  how  do  I  set  up  something  like  that? 
Like  any  project,  with  a  lot  of  legwork.  I’ve 
got  to  get  my  guy  in  Costa  Rica  to  set  up 
the  back-end  servers.  Costa  Rica’s  great 
because  everything’s  available  right  in  one 
building.  I  call  my  guy  and  say,  “It’s  MIT.  I 
need  some  stuff.”  He  just  walks  down  the 
hall  to  the  ISP,  gets  servers  and  backups, 
and  then  goes  upstairs  to  the  Web  develop¬ 
ers.  It’s  out-of-the-box,  like  calling  up  IBM 
Global  Services  or  something.  There’s  even 
a  little  online  payment  service  outfit  down 
there.  We  like  it  better  than  the  big  ones  up 
here  because  those  guys,  they’re  better  with 
international  currency  and  security. 

After  we  get  all  that  going,  we’ve  got  to 
do  all  the  testing.  I’m  telling  you,  it’s  really 
not  much  different  than  those  e-commerce 
projects  I  read  about  in  CSO.  We  do  the 
same  due  diligence.  Same  troubleshooting. 
Same  thing  with  bosses  yelling,  “MIT,  you 
got  that  site  up  yet?  Super  Bowl’s  in  a  few 
weeks.  Site’s  gotta  be  up  for  that!” 

They  ask  for  some  ROI  up  front,  by  the 
way.  It’s  a  little  more  informal  than  the  way 
most  of  your  readers  do  it.  They’ll  ask,  “Ball¬ 
park,  what  do  we  gotta  spend?”  I  give  them 
a  number.  They  say,  “What  can  we  clear  in 
an  average  month?”  I  give  them  another 
number.  I’m  not  making  these  up  either. 
I  ask  around.  I  mean,  that’s  cost-benefit 
analysis  right  there,  right? 

Anyway,  once  that  site’s  up  and  running 
it’ll  be  a  nice  little  business... for  the  over¬ 
seas  market,  of  course. 

Even  Crooks  Need  Security 

I  INVEST  in  top-notch  security  because, 
believe  me,  gaming  sites  are  constantly 
dealing  with  extortion.  Criminals.  Not  a  day 
goes  by  when  a  site  doesn’t  have  some  Rus- 


40  www.csoonline.com  July/August  2007 


Hear  from  these  leading 
Industry  Experts: 

George  Adams 

CEO,  SSH  Communications  Security 

Dr.  Edward  G.  Amoroso 

Senior  Vice  President, 
Chief  Security  Officer, 
AT&T  Services,  Inc. 

Michael  Barrett 

CISO,  PayPal 

Bob  Bragdon 

Publisher,  CSO  Magazine 

Allan  Carey 

Program  Manager,  Security  Services 
and  Identity  Management,  IDC 

Chris  Christiansen 

Program  Vice  President,  Security 
Products  and  Services,  IDC 

Julie  Donahue 

VP,  Security  and  Privacy  Service, 
IBM  Global  Technology  Services 

Lynda  Fleury 

CISO,  Unum 

Tim  Mathews 

Director,  Risk  Management  and 
Corporate  Security,  ETS 

Brian  Shea 

Senior  Vice  President, 
Bank  of  America 

Craig  Smelser 

VP,  Storage  and  Security 
Development, 
IBM  Software  Group,  Tivoli 

Chris  Whitener 

GM,  Atalla  Security  Products  and 
Leader,  Enterprise  Storage  and 
Servers  Security  Strategy,  HP 


IDC  SECURITY  FORUM 

Defending  Against  Information  Access  Threats: 
Messaging  Security,  Network  Management  and  Retention  Systems 

SEPTEMBER  19,  2007 

MILLENNIUM  BROADWAY  HOTEL  •  NEW  YORK,  NY 


IDC's  4th  annual  Security  Forum  offers  attendees  practical  advice  into  developing  a 
holistic,  effective  security  program  that  becomes  a  core  part  of  the  organizational  culture 
and  business  routine.  Featuring  insight  from  leading  enterprise  security  practitioners, 
technology  solution  providers,  and  subject  matter  experts,  the  program  addresses  chief 
security  concerns  for  2007  and  beyond.  This  year's  agenda  will  explore  priorities 
ranging  from  enforcing  and  tracking  messaging  compliance  to  proactive  strategies 
for  ensuring  intellectual  property  stays  where  it  should  be  -  inside  the  enterprise. 

CONFERENCE  HIGHLIGHTS 

•  Real-world  case  study  presentations  addressing  key  issues  such  as:  preventing 
attacks  on  systems,  networks  and  data;  phishing;  protecting  information  assets; 
messaging  security  solutions;  creating  resilient  email  environments; 
controlling  data  leakage  and  more. 

•  The  opportunity  to  engage  with  like-minded  peers,  subject  matter  experts  and 
conference  faculty  in  a  focused  learning  and  networking  environment. 

•  Private  one-to-one  feedback  opportunity  with  an  expert  analyst  at  the  event 
to  address  your  security  challenges  and  needs. 

You  can  view  the  entire  agenda  and  speaker  additions  by  visiting 
us  online  at  http://www.idc.com/securityforum07 


Register  by  August  17th  your  registration  is  complimentary! 

To  register,  please  go  to:  http://www.idc.com/securityforum07 

Make  sure  to  enter  the  code  IZLH96  in  the  special  promotion  code  field. 

If  you  have  questions  about  registration  call  800-605-5849. 

This  offer  will  expire  after  8/17/07 


Sponsors  and  Partners  of  the  Security  Forum 


CSO  y  ECM  Connection  SECURITY  CPP 

#  buerpmt  (omen)  Manogtmen!  News  And  Solution*  2£! U!  ^  |  *- 


I  believe  security  should  enable 
business  growth  not  limit  it. 

I  focus  on  what’s  important. 


I  innovate 


I  am  fearless 


When  it  comes  to  security,  most  businesses  understand  what  it  means  to  fail.  But  few  can  imagine 
what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions  can  move  your  business 
forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of  the  Fortune  500. 

Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/kayak  The  Security  Division  of  EMC 


PCI 

Compliance 

A 


Secure  Anytime  Consumer  Identity  Secure 

Anywhere  Access  Protection  Enterprise  Data 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


Electronic  Crime 


sian  hacker  launching  a  DDoS  attack,  asking 
for  cash  to  call  it  off.  We  encrypt  everything, 
and  we’ve  got  pretty  severe  authentication 
for  access.  We  don’t  outsource  or  contract 
the  security.  We  keep  it  in-house. 

I  pay  my  security  guy  well.  I’d  say  about 
25  to  30  percent  above  what  you’d  pay.  Met 
him  at  the  Black  Hat  conference  in  Vegas  a 
couple  of  years  ago.  I  liked  him  right  away 
because  he  wasn’t  presenting  or  bragging 
about  what  a  hotshot  he  was.  He  was  in  the 
back,  taking  notes,  trying  to  learn.  Quiet.  I 
knew  right  away  he’d  fit  in. 

I’ve  also  tasked  him  (that’s  how  you  say 
it,  right?)  with  internal  security.  Basically, 
his  job  is  chief  privacy  officer  for  a  bunch 
of  guys  who  really  value  privacy.  All  this 
technology— phones,  the  Internet— it’s  all 
great  for  making  money,  but  the  problem 
is,  everything  gets  logged.  My  security  guy 
has  written  and  used  lots  of  antiforensic 
tools  to  erase  those  logs,  and  I’m  comfort¬ 
able  telling  my  boss  we  have  better  privacy 
than  the  big  banks.  My  security  guy  knows 
how  to  disable  the  GPS  in  our  cell  phones. 
He’s  building  some  routing  programs,  sort 
of  like  that  Onion  Router  project  that,  like 
it  says  on  their  website,  “prevents  the  trans¬ 
port  medium  from  knowing  who  is  commu¬ 
nicating  with  whom”  so  that  anything  we 
send  over  the  Internet  is  scrambled  through 
different  routes  and  hops  all  over  the  world, 
completely  anonymous  and  untraceable. 
And  everything,  I  mean  everything,  is 
encrypted.  Say  someone  stole  the  servers 
we  keep  here  at  the  home  office.  My  guy 
designed  it  so  that  really  only  two  people 
can  access  the  data:  me  and  him.  We  have 


the  private  keys  and  no  one  else  does.  Not 
even  the  boss. 

My  Kind  of  Guys 

THE  GUYS  I  keep,  or  keep  on  a  kind  of 
retainer,  are  the  ones  that  show  me  some¬ 
thing  extra.  We  had  one  guy  who  came  to  us 
selling  a  great  new  way  to  set  up  temporary 
international  cell  phone  accounts,  using 
credentials  bought  in  the  identity  market. 
Guys  will  pay  a  lot  for  a  disposable  interna¬ 
tional  cell  phone.  We  bought  some  and  were 
so  impressed  we  decided  to  get  into  busi¬ 
ness  with  him.  He  set  up  the  phones;  we 
handled  distribution.  I  asked  the  guy  what 
else  he  was  working  on.  He  flips  his  lap¬ 
top  around  and  shows  me  his  own  website 
where  he’s  auctioning  off  credit  credentials 
to  the  highest  bidder.  Slick.  I  said  to  him, 
“You  could  be  our  R&D.”  He  said,  “Cool.” 
And  that  was  that. 

Compared  to  you  guys,  I’m  pretty  lucky 
with  talent.  My  guys  are  way  ahead  on  the 
technology.  They  work  hard.  They’re  inno¬ 
vative  and  entrepreneurial.  I  think  they’re 
some  of  the  most  talented  IT  staff  around. 

Alignment  Among  Thieves 

ACTUALLY,  THERE  is  one  way  you  and 
I  are  different.  I  read  all  those  stories  in  CSO 
about  how  hard  you  have  to  work  to  align 
technology  with  the  business’s  goals.  That’s 
one  problem  I  don’t  have.  My  bosses  don’t 
let  me  spend  a  dime  on  anything  that’s  not 
going  to  make  them  money.  Why  should 
they?  And  I  wouldn’t  even  think  about 
investing  in  a  huge  project  that  might  fail 
to  live  up  to  expectations.  I  don’t  get  play 
money  to  buy  technology  that  doesn’t  work. 
I  don’t  have  vendors  paying  the  freight  to 
conferences  at  swank  resorts  to  convince 
me  to  invest  in  something  that’s  half-devel¬ 
oped  and  overhyped.  I  never  use  jargon.  I 
spend  zero  time  doing  PowerPoints. 

Speculation?  That’s  not  part  of  our  busi¬ 
ness  model.  So  maybe  I  don’t  get  the  newest 
gadgets  all  the  time  but,  man,  I’m  aligned. 
With  the  bosses.  With  the  business.  There’s 
really  no  other  choice,  you  know?  ■ 


Executive  Editor  Scott  Berinato  can  be  reached  at 
sberinato@cxo.com. 


July/August  2007  www.csoonlme.com  43 


Fear  less.  Do  more. 


PCI  Compliance: 

Securing  Credit  Card  Data 


RSA’s  solutions  for  PCI  compli¬ 
ance  help  ensure  that  credit 
card  data  entrusted  to  you  never 
becomes  a  liability.  We  offer  sus¬ 
tainable,  flexible  solutions  to  help 
you  remain  compliant  even  as 
data  security  standards  evolve. 


•  Discover  and  classify  credit 
card  data  and  applications 


•  Secure  data  regardless  of 
where  it  resides 


•  Provide  comprehensive 
access  control 


•  Actively  monitor  security 
events 


•  Leverage  log  data  to 
prove  compliance 


The  Security  Division  of  EMC 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and 
the  RSA  logo  are  either  registered  trademarks  or  trade¬ 
marks  of  RSA  Security  Inc.  in  the  United  States  and/or 
other  countries.  All  other  products  and  services  men¬ 
tioned  are  trademarks  of  their  respective  companies. 


RSA  can  help  your  organization: 


Learn  to  fear  less  and  do  more. 
Visit  our  PCI  Resource  Center 
for  FREE  research,  white  papers, 
webinars,  podcasts  and  more: 
www.rsa.com/go/kayak 


CSO  Undercover 


Finding  Your 
Inner  Lawyer 

How  to  avoid  common  pitfalls  when  negotiating  a 
security  guard  contract  By  Anonymous 

CONTRACT  REVIEW  IS  tedious,  particularly  when  it  comes 
to  going  through  all  the  fine  print  with  a  security  guard  provider. 
This  can  be  especially  problematic  if  your  interaction  (like  mine) 
with  contract  guard  agencies  is  for  supplemental  work  only  and 
not  as  a  key  component  of  your  program.  For  today’s  extremely 
busy  CSO— and  that’s  all  the  CSOs  I  know— there  is  little  time  for  such  pains¬ 
taking  work.  But  it’s  crucial.  Consider  the  following  three  scenarios: 

Scenario  one:  I  contacted  our  legal  department  and  asked  them  to  review 
a  contract  guard  agreement.  Legal  asked  how  critical  this  was,  because  they 
were  working  on  leases,  licensing  arrangements,  workers’  compensation 
issues,  and  SOX  and  SEC  regulations— all  things  they  clearly  considered  pri¬ 
orities.  I  asked  them  to  review  the  contract  as  soon  as  possible,  and  received 
it  back  three  months  later. 

Scenario  two:  Members  of  my  team  contacted 
our  legal  team  and  ended  up  in  voice  mail,  where 
they  left  a  message  that  they  had  an  immediate 
need  to  employ  a  contract  guard  agency  and  I 
needed  the  terms  and  conditions  reviewed 
right  away.  They  repeated  their  request 
a  day  later,  this  time  sending 
the  contract  to  the  depart-  ^ 


£  s«, 

k 


V 


/ 


ment’s  primary  paralegal 
to  speed  up  the  process. 

A  week  later,  they  heard 
back  from  one  of  our 
attorneys,  who  asked 

"•Wnl.-,  * 

when  they  needed  the 
contract  back. 

Scenario  three:  My  team  con¬ 
tacted  a  local  guard  provider  that  indicated 
it  could  have  guards  onsite  the  same  day  and  didn’t  need 
a  contract. 

Given  scenarios  one  and  two,  it  might  be  tempting  to  avoid  the  whole 
hassle  and  skip  to  scenario  three.  But  you  should  always  secure  a  contract- 
regardless  of  the  scope  of  services,  the  number  of  coverage  hours  and  the 
duration  of  the  engagement.  Why?  Simply  put,  contracts  define  expectations 
of  service  and  protections,  should  something  go  wrong.  A  former  CSO  I  know 
innocently  engaged  a  service  to  cover  a  simple  eight-hour  assignment  on  very 
short  notice.  The  guard  assigned  to  the  job  ended  up  illegally  detaining  a  cus¬ 
tomer,  which  led  to  a  lawsuit  that  had  to  be  worked  out  in  court  because  there 


was  no  contract  to  protect  his  company  from  mistakes 
made  by  the  contractor. 

Your  Contract  Checklist 

NO  CONTRACT  means  buyer  beware.  The  CSO’s 
mission  of  protection  should  include  protection  against 
negligence  and  damages  arising  out  of  the  provision  of 
security  services.  I  did  some  research  and  worked  out 
some  ways  CSOs  and  their  staffs  can  avoid  common 
pitfalls  with  contract  guard  services. 

1.  Check  the  agency’s  license.  The  contract  guard 
agency  should  always  provide  you  a  copy  of  its  license 
to  conduct  business.  Contact  the  appropriate  state 
agency  to  validate  the  license.  You  could  also  secure  a 
Dun  &  Bradstreet  report  through  your  credit/finance 
department  to  ensure  the  solvency  of  the  organization, 
or  take  other  steps  consistent  with  your  company’s 
policy  for  vetting  new  vendors. 

2.  Request  a  certificate  of  liability  insurance.  It 
is  important  that  you  know,  understand  and  commu¬ 
nicate  your  company’s  requirements  for  all  contrac¬ 
tors  with  respect  to  general  liability,  excess  liability, 
workers’  compensation  and  employers’  liability.  For 
example,  a  good  policy  is  to  have  your  vendor  include 

you  as  an  additional 
insured  on  its  policy, 
which  allows  you  to  file 
a  claim  directly  against 
the  vendor’s  insurance 
policy.  Your  risk  manage¬ 
ment  team  should  provide 
these  requirements  to  you. 
They  must  be  nonnegotiable. 

3.  Include  a  defense  and 
indemnification  clause.  Also  known  as 
“hold  harmless”  language,  this  protects  your 
company  from  lawsuits  and  claims  generated 
because  of  the  negligence  of  a  guard  company. 

For  example,  take  the  scenario  above,  where  a 

guard  company  employee  illegally  detains  a  cus¬ 
tomer.  Odds  are  good  that  that  customer  is  going  to 
file  a  lawsuit,  and  you  can  be  sure  he  will  name  your 
company  as  a  defendant.  The  argument  that  your 
company  “didn’t  do  anything  wrong”  will  not  matter. 
Without  a  written  contract  that  contains  “hold  harm¬ 
less”  language,  your  company  could  waste  money  and 
countless  hours  defending  itself  from  the  claim. 

The  “hold  harmless”  clause  prevents  your  company 
from  having  to  defend  and  pay  for  claims  where  your 
company  was  not  negligent.  More  specifically,  this 
language  does  two  things.  First,  the  defense  language 
ensures  that  the  contract  guard  company  picks  up  the 


C°*micr 


i 


44  www.csoonline.com  July/August  2007 


ILLUSTRATION  BY  JIMMY  HOLDER 


legal  defense  cost  you  generate  in  defend¬ 
ing  your  company  from  a  claim  caused  by 
the  negligence  of  the  security  guard.  Sec¬ 
ond,  the  indemnification  language  ensures 
that  the  guard  company  is  responsible  for 
paying  out  any  financial  rewards  due  the 
injured  party. 

4.  Require  that  the  guards  meet  your 
standards.  The  guards  assigned  to  your 
property  should  meet  your  basic  back¬ 
ground  qualifications,  and  they  must  be 
required  to  provide  physical  evidence  of 
a  valid  individual  security  guard  license 
in  those  states  mandating  such  licensing. 
In  addition,  it  is  recommended  that  you 
mandate  timing  (for  example,  quarterly 
or  semiannually)  for  ongoing  background 
checks  and  license  verifications  for  longer- 
term  contracts.  Other  checks,  such  as  a 
national  sex  offenders  check,  can  be  con¬ 
sidered  when  possible  and  depending  on 
assignment. 

5.  Beware  of  subcontractors.  Never 
underestimate  this  possibility— especially 
when  dealing  with  an  agency  that  claims 
to  be  nationwide  but  in  fact  simply  sub¬ 
contracts  out  across  the  country.  If  you 
allow  the  contract  guard  provider  to  hire 
subcontractors,  then  you  must  ensure  and 
define  the  terms. 

Preferably,  all  the  terms  you  require  of 
the  primary  agency  must  be  extended  to 
its  subcontractor.  Also,  it  is  important  to 
demand  in  writing  that  any  subcontractor 
must  specialize  or  give  proof  of  experience 
in  your  particular  industry.  For  instance, 
if  you  contract  with  a  provider  for  guards 
in  a  retail  environment  and  that  provider 
subcontracts  with  an  agency  specializing 
in  commercial  business,  then  this  mix 
could  be  ineffective  or  worse.  In  addition, 
the  company  you  have  a  contract  with  that 
subcontracts  work  will  ask  for  “hold  harm¬ 
less”  and  additional  insured  language  in  its 
contract  with  its  subcontractor.  Therefore, 
you  should  specify  language  in  your  con¬ 
tract  that  you  be  named  as  an  additional 
insured  by  the  subcontractor. 

6.  Consider  specifying  wages,  rates 
and  benefits.  You  get  what  you  pay  for, 
period.  Specify  the  range  of  hourly  rates 
you  want  the  guards  to  be  paid,  and  then 


compare  that  with  the  proposed  bill¬ 
ing  rate.  A  former  contract  guard  agency 
owner  tells  me  that  a  fair  billing  rate 
places  the  wage  rate  at  around  65  per¬ 
cent  of  the  billing  rate.  Also,  you  should 
understand  whether  the  agency  provides 
benefits  to  its  security  officers.  Companies 
that  provide  benefits  tend  to  have  better 
security  officers  and  better  retention. 


Suppose  a  guard 
company  employee 
Illegally  detains 
a  customer.  Odds 
are  good  that  that 
customer  is  going 
to  hie  a  lawsuit, 
and  you  can  be 
sure  he  will  name 


7.  Include  a  cancellation  clause.  A 

30-day  clause  in  a  contract  is  typical,  but 
make  sure  the  clause  applies  to  both  you 
and  the  agency.  This  protects  you  from 
an  agency  walking  away  and  leaving  you 
unprotected. 

Of  course,  those  are  just  some  of  the 
more  critical  components.  Others  may  be 
just  as  important,  such  as  scope  of  service 
and  security  officer  responsibilities,  vehi¬ 
cle  usage,  uniforms,  recruiting  and  train¬ 
ing,  and  supervision.  However,  at  least 
now  you  can  take  some  immediate  steps 
to  ensure  that  you  protect  your  company. 

Getting  the  Legal  Help  You  Need 

AS  FAR  as  securing  contracts  with  good 
terms,  as  I  see  it  you  have  a  few  options. 
The  best  option  is  to  have  an  attorney  from 
your  in-house  legal  department  assigned 
to  support  your  department.  Then,  as 
contracts  need  to  be  reviewed,  that  attor¬ 
ney  can  ensure  that  the  proper  terms  are 
structured  into  the  contract— and  you 


your  company  as  a 
defendant. 


won’t  get  stuck  waiting  for  days  or  weeks 
for  someone  to  return  your  calls. 

This  isn’t  always  possible,  though,  so  a 
second  option  is  to  use  an  outside  counsel 
approved  by  your  legal  department.  The 
counsel  needs  to  be  vetted  and  should 
have  a  working  knowledge  of  the  security 
industry.  The  counsel  can  be  placed  on 
retainer  or  operate  on  a  project-to-project 
basis. 

This  is  what  I’m  attempting  to  do.  Cur¬ 
rently,  I  am  negotiating  terms  with  an 
outside  counsel,  including  retainer  fees 
and  the  scope  of  services  covered.  Also, 
we  are  negotiating  fee  terms  for  services 
that  may  exceed  the  retainer  to  lock  in  an 
acceptable  rate.  Once  this  is  complete,  the 
full  package  will  be  sent  to  our  in-house 
counsel  for  review. 

If  this  isn’t  an  option  for  you,  then  you 
and  your  team  can  at  least  create  a  tem¬ 
plate  of  terms  and  conditions  that  can  be 
presented  to  the  contract  guard  agency. 
This  template  must  be  reviewed  and 
approved  by  your  legal  department,  and  it 
will  become  the  basis  for  negotiation  and 
your  requests  for  proposals.  It  must  be 
clear  to  the  contract  guard  agencies  which 
terms  are  nonnegotiable. 

Whatever  the  case,  it  is  important  to 
plan  strategically  when  it  comes  to  con¬ 
tract  guard  services.  To  avoid  last-minute 
engagements  that  typically  force  you  into 
less  favorable  terms,  you  can  identify  and 
negotiate  in  advance  with  contract  guard 
agencies  for  on-demand  services.  You  may 
pay  a  little  more,  but  the  contract  will  be 
structured  to  protect  your  organization. 

Sure,  it  may  be  easier  just  to  sign  on 
the  dotted  line.  But  if  contracts  are  not 
executed  correctly,  it  does  a  disservice 
to  you  and  your  company.  Worse,  the 
arrangement  could  end  up  harming  the 
very  company  you  are  entrusted  to  pro¬ 
tect.  Let’s  face  it,  do  you  think  your  CEO 
is  going  to  accept  the  excuse  that  you 
exposed  the  company  to  liability  because 
the  legal  department  was  too  busy?  I  don’t 
think  so.  ■ 


Undercover  is  written  anonymously  by  a  real  CSO.  Send 
feedback  to  c soundercover@cxo.com. 


July/August  2007  www.csoonline.com  45 


Sales  and  Services 

CSO  Sales  Offices 

President  and  CEO 

Michael  Friedenberg  •  508  935-4310 

Publisher 

Bob  Bragdon  •  508  935-4443 
Senior  Ad  Sales  Associate 
Christine  McKay  •  508  988-7836 
Eastern  Territory 
East  Coast  Regional  Manager 
Roz  Burke  •  508  935-4163 
Western  Territory 
Regional  Sales  Manager 
Drew  Seifried  •  415  217-9083 

Online  Sales 

Vice  President,  Online  Sales 

Brian  Glynn  •  508  935-4586 

Online  Regional  Sales  Manager 

Richard  Hartman  •  508  935-4487 

Online  Regional  Sales  Manager,  West  Coast 

Erika  Karr  •  415  978-3329 

Online  District  Sales  Manager 

Sara  Mascall  •  415  978-3385 

Manager,  Online  Account  Services 

Danielle  Tetreault  •  508  988-7969 

Online  Account  Services  Specialist 

Valerie  Sumner  •  508  988-7877 

Online  Advertising  Specialist 

Irina  Gabechiia  •  508  935-4414 

Online  Ad  Sales  Associate 

Devon  Slattery  •  415  975-2687 

Online  Account  Services  Coordinator 

Hayley  Nickerson  •  508  988-7819 

Custom  Solutions  Group 

Vice  President 
Matt  Avery  •  508  935-4796 
National  Director  of  Sales 
Adam  Dennison  •  508  935-4087 
Executive  Editor  Tom  Field 
Managing  Editor 
Jim  Malone 
Associate  Editor 
Anne  Taylor 

Senior  Project  Manager 

Amy  Greenleaf 

Project  Managers 

Karen  Capland,  Amy  Freeman 

CSO  Executive  Council 

Managing  Director 

Bob  Hayes 

VP,  Research  and  Product  Development 

Kathleen  Kotwica 

Director,  IT  and  Product  Technology 

Greg  Kane 

Operations  and  Production  Specialist 
Jayne  Marcucella 
Member  Services  Manager 
Elizabeth  Lancaster 


Production 

VP/Manufacturing 
Chris  Cuoco 
Production  Manager 
Heidi  Broadley 

Associate  Production  Manager 

Lisa  M.  Stevenson 

Executive  Programs 
VP,  Executive  Programs 

Ellen  Daly 

Director,  Event  Marketing 
Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 
National  Sales  Manager 
Per  Melker 

Senior  Conference  Producer 
Judith  Kittredge 
Event  Planner 
Sarah  Reagan 
Event  Coordinator 
Bethany  Whiffin 

Registration  Specialist 
Cress  O'Brien 
Client  Services  Specialist 
Erica  Foster 
Sales  Associate 

Nicole  Blackburn  •  508  935-4154 

Marketing 

Sr.  Director,  Marketing  Communications 

Sue  Yanovitch 

Sr.  Marketing  Communications  Specialist 
Susan  Murray 

Marketing  Communications  Specialist 

Lynn  Holmlund 

Circulation 

Senior  VP/Circulation 

Carol  A.  Spach 

Subscription  Services  Supervisor 
Tina  Pescaro 

List  Services 

Contact  Paul  Capone  of  IDG  List  Services  at 
508  370-0865  or  pcapone@idglist.com. 

Reprint  Services 

For  article  reprints  (100  quantity  or  more), 
please  contact  Keith  Williams  at  PARS 
International  at  212  221-9595,  ext.  319, 
or  e-mail  keith.williams@parsintl.com. 

For  further  sales  information,  visit 
www.csoonline.com/reprints/index.html. 


CSO  Contact  Information 

Editorial/Advertising/Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Postal  Information 

CSO  (ISSN  1540-904X)  is  published  monthly 
except  for  a  combined  issue  in  July/August 
and  December/January  by  CXO  Media  Inc., 
492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208.  Periodical 
Postage  Rate  at  Framingham,  MA  01701,  and 
at  additional  mailing  offices.  Canadian  Pub¬ 
lications  Mail  agreement  number  1902075. 
CANADIAN  POSTMASTER:  Please  return 
undeliverable  copy  to  P.O.  Box  1632,  Windsor, 
ON  N9A  7C9. 

Permissions 

Copyright  2007  by  CXO  Media  Inc.  All 
rights  reserved.  Reproduction  of  material 
appearing  in  CSO  is  forbidden  without 
written  permission.  Send  requests  to  Yadira 
Pizarro,  PARS  International,  212  221-9595, 
ext.  231,  or  e-mail  yadira@parsintl.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or 
personal  use  or  the  internal  or  personal  use 
of  specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  a  fee  of  $3.50  per  copy  of  the 
article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive,  Danvers,  MA 
01970.  www.copyright.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy 
does  not  extend  to  contributed  articles 
followed  by  this  symbol:  $. 

Subscriptions 

Address  Inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125. 

CSO  is  free  to  qualified  information 
executives.  To  all  others  the  one-year  basic 
rate  is  $70  for  the  United  States  and  Canada, 
$95  to  foreign  countries  (payable  in  U.S. 
funds  only).  The  single  copy  price  is  $9  to 
the  U.S.  and  Canada  and  $15  International. 
Please  allow  four  to  six  weeks  for  new 
subscriptions  to  begin. 

Change  of  Address 

Go  to  www.omeda.com/custsrv/cso  and 
follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to: 

CSO,  P.O.  Box  3482,  Northbrook,  IL  60065 
Printed  in  the  USA. 


Index  of  Companies  and  Advertisers 

Company  Index 

American  Management  Association . 13 

AOL  LLC . 13 

Apple  Inc . 13 

AT&T . 26 


Bernstein  Crisis  Management  LLC . 34 

Black  Hat . 13,38 

BT  . 26 

California  Department  of 

Motor  Vehicles . 13 

Cisco  Systems  Inc . 22 

EDAW  Inc . 13 

Electronic  Data  Systems  Corp . 34 

Electronic  Privacy  Information  Center  ...  .13 

E-Loan  Inc . 34 

ePolicy  Institute . 13 

Forrester  Research  Inc . 13 

Frost  &  Sullivan  . 26 

Gartner  Inc . 13,  26 

Getronics . 26 

Global  Security  Group . 13 

Google  Inc . 13 

Harvard  University . 22 

IBM  Corp . 26,  38 

Law  Enforcement  Retail  Partnership 

Network . 13 

Message  Labs  Ltd . 26 

Michigan  State  University  . 34 

Microsoft  Corp . 13,  22 

National  Retail  Federation  . 13 

Oxford  University . 26 

Perimeter  eSecurity . 26 

Postini  Inc . 26 

QlLabs  Inc . 22 

Sophos  Pic . 13 

Sprint  Nextel  . 26 

Symantec  Corp . 26 

Telus . 26 

TJX  Companies  Inc . 38 

U.S.  Department  of  Homeland  Security  .  .  .13 

University  of  Florida . 13 

University  of  Minnesota . 26 

VeriSign  Inc . 26 

Verizon . 26 

VigilantMinds . 26 

Visions  Federal  Credit  Union  . 26 

WhiteHat  Security  Inc . 24 

Advertiser  Index 

ADT  Security  Services  Inc . 3 

ASIS  International  . 25 

BT  Counterpane . 11 

CA  . C4 

CXO  Media  Inc . 9,23,37 

Cyveillance . C3 

Executive  Women's  Forum . 47 

HID  Corp . 17 

Hewlett-Packard  Co . 21 

IBM  Corp . C2 

IDC  Security  Forum  . 41 

Intel  Corp . 7 

ISACA . 15 

Quantum  Secure  Corp . 5 

RSA  Security  Inc . 42, 43 

Security  Standard,  The . 12 

SunGard  Availability  Services  . 8a 

Tumbleweed  Communications  Corp . 19 


46  www.csoonline.com  July/August  2007 


5th  Annual 

EXECUTIVE  WOMEN’S 
FORUM 


Information  Security,  Risk 
Management  &  Privacy 


Managing  Risk  Through  Collaboration 

Hosted  by  Alta  Associates,  Inc.  the  5th  Annual  Executive  Women’s 
Forum  (EWF)  brings  together  more  than  200  women  of  influence, 
power  and  intelligence  to  explore  the  impact  of  managing  risk 
through  collaboration  in  today’s  global  business  environment. 

The  EWF  provides  a  casual  venue  that  fosters  the  development 
of  creative  ideas,  innovative  solutions  and  deep  relationships. 

Join  your  peers  to  explore  how  we  are  connecting  the  dots. 


PANEL  TOPICS 

>  COMPLICATIONS  FROM 
INNOVATION 

>  PRIVACY— ARE  YOU  IN  JEOPARDY? 

>  DATA,  DATA,  WHO’S  GOT  MY  DATA? 

>  ENTREPRENEURIAL  SPIRIT 

>  YEAR  IN  REVIEW— HEADLINES  & 
PREDICTIONS 

Diamond  Sponsors: 


KEYNOTE  SPEAKERS 

DR.  CLAUDIA  NATANSON 

Chief  Information  Security  Officer 
Diageo 

LINDA  MEEKS 

Director,  Information  Protection  &  Assurance 
The  Boeing  Company 


Information  Networking  Institute 


ca 

Microsoft •  +Sun  3  Symantec,. 


im 

Carnegie  Mellon 

CyLab^ft 


WOMEN  OF  INFLUENCE 
AWARDS 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO  magazine 
and  Alta  Associates,  the  awards  honor 
four  women  for  their  accomplishments 
and  leadership  roles  in  the  fields  of 
security,  risk  management  and  privacy. 
Winners  will  be  announced  at  an  awards 
ceremony  duringthe  Executive  Women’s 
Forum. 

NOMINATION  FORM  AVAILABLE  AT: 

http://public.cxo.com/awards/ 

applicationWOI_2007.html 

Nominations  must  be  submitted  by 
August  1, 2007. 


Media  sponsor  &  awards  co-presenter: 


CSO 

The  Resource  for  Security  Executives 


Forum  host  &  awards  co-presenter: 


microsystems 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www.infosecuritywomen.com 


Prince  of  Pranks 


It’s  hard  to  know  when  to  believe  Sir 
John  Hargrave.  Did  he  really  legally 
change  his  name  to  Sir  John  in  hopes 
of  being  knighted  by  Britain’s  Queen 
Elizabeth  II?  Did  he  really  name  his  son 
Luke  Rocket  Hargrave  because  he  thought 
Rocket  was  the  coolest  name  ever?  When 
you’ve  been  orchestrating  pranks  for  13 
years,  Hargrave  says,  people  don’t  believe 
anything  you  say  because  they're  scared 
that  they’re  part  of  the  joke.  Hargrave 
specializes  in  stunts  that  expose  security. 
He’s  taken  a  special  interest  in  credit  card 
companies'  inability  to  stop  fraud.  He's 
signed  up  for  several  credit  cards  under 
famous  people's  names  (e.g.,  Michael 
Jackson)  and  even  had  a  real  card  issued 
to  him  under  the  name  Giant  Monkey.  "I’m 
a  comedian  first  and  foremost,”  Hargrave 
explains.  “If  I’ve  made  you  laugh,  I've 
done  my  job.  But  I  find  the  most  interest¬ 
ing  pranks  are  about  things  that  make 
me  really,  really  mad.”  Debriefing  spoke 
to  Hargrave  about  Bluetooth  headsets’ 
comedic  value,  his  biggest  prank  yet  and 
his  preternatural  ability  to  self-promote. 


Debriefing:  So  you’re  a  comedian? 

Do  people  always  ask  you  to  say 
something  funny? 

Sir  John  Hargrave:  You  mean  besides 
right  now?  When  you  run  the  world's  oldest 
comedy  website,  Zug.com,  for  13  years, 
and  you  were  born  on  April  Fool’s  day, 
people  always  expect  you  to  be  funny. 

That’s  not  funny.  Say  something  funny. 

[Weak,  impatient  laugh] 

On  your  site  you  have  a  detailed  text  and 
video  account  of  walking  right  into  Dol¬ 
phin  Stadium  prior  to  the  Super  Bowl  with 
two  pallets  of  suspicious  little  light-up 
devices.  What  was  the  goal  of  the  prank? 
The  goal  was  to  orchestrate  the  world’s 
greatest  prank  of  all  time— 

Wait.  A  prank  even  bigger  than  Ashton 
Kutcher’s  career? 

Yeah,  that’s  right.  Plus  I  had  my  book  to 
promote,  Prank  the  Monkey,  which  is 
number  one  in  Amazon’s  Humor  section. 
[Measured  throat  clearing] 


Is  it  true  you  opened  a  credit  card  in 
Ashton  Kutcher’s  name?  That  you  Punk’d 
the  Punk'der? 

Yeah.  That's  a  chapter  of  my  book. 

You  self-promote  much  better  than  you 
tell  jokes. 

That’s  z-u-g  dot  com.  Again,  the  book  is 
Prank  the  Monkey. 

Back  to  the  Super  Bowl.  Some  think  you 
wanted  to— surprise,  surprise— spell  the 
name  of  your  website  with  the  light-up 
devices  during  Prince's  halftime  show, 
but  failed.  Some  say  you  never  got  into 
Dolphin  Stadium  at  all  but  since  you 
couldn’t  handle  prank  failure,  you  faked  it. 

I  call  hoax! 

I  find  it  consistently  amusing  that  a  con¬ 
spiracy  theory  has  risen  around  this.  It’s 
remarkable  that  we  pulled  something  off 
and  people  can’t  believe  it.  Americans  crave 
this  illusion  of  total  security.  It  just  wasn't 
that  hard.  Wouldn't  it  cost  more  to  fake  the 
moon  landing  than  actually  go  to  the  moon? 

Um,  no.  But  anyway,  assuming  you  did  get 
by  security  at  the  Super  Bowl,  how’d  you 
pull  it  off? 

A  lot  of  it  is  appearance.  I  wore  a  suit  and  a 
Bluetooth  headset. 

Bluetooth  headset?  Loooserrrr. 

I  agree  they’re  obnoxious,  but  if  you  look 
the  part,  people  give  you  credit  you  don’t 
deserve.  Security’s  trained  to  look  for 
someone  "suspicious.”  The  other  thing  I 
did  was  initiate  conversations  and  ask  for 
help.  People  want  to  help,  and  once  they 
do,  they  don’t  want  to  suspect  they  just 
helped  someone  they  should  have  been 
suspicious  of. 

Hey,  that’s  Festinger’s  cognitive  disso¬ 
nance  theory,  that  incompatible  cognitions 
result  in  physical  and  emotional  discom¬ 
fort,  which  we  try  to  eliminate  by  justify¬ 
ing  one  cognition  over  the  other. 

Now  who’s  not  funny? 


48  www.csoonline.com  July/August  2007 


ILLUSTRATION  BY  STEVE  TRAYNOR 


Cyveillance.  The  world  leader  in  cyber  intelligence. 

Every  day,  new  threats  emerge  online  that  could  harm  the  very  core  of  your  business. 
That’s  why  industry  leaders  are  turning  to  Cyveillance  for  a  proven  intelligence-led 
approach  to  address  the  full  scope  of  today’s  online  risk  environment. 

From  malware  and  identity  theft,  to  phishing,  unlicensed  product  sales,  and 
corporate  espionage-Cyveillance  covers  the  entire  spectrum  of  Internet  risks.  With 
the  most  comprehensive  Internet  monitoring  infrastructure,  a  real-time  portal,  and 
dedicated  support  from  cyber  intelligence  experts,  Cyveillance  gives  you  the  intelligence 
to  stop  threats  before  they  cause  harm. 

Don’t  depend  on  conventional  monitoring  solutions  to  keep  your  organization 
in  the  know.  Stay  on  top  of  online  threats  with  Cyveillance,  the  world  leader  in 
cyber  intelligence. 


Download  the  new  white  paper: 
Intelligence-Led  Security 

www.cyveillance.com/CSO 


Cyveillance 


'.itvK 


It  all  begins  with  a  single  view  of  your  entire  IT  portfolio  — a  scenic  overlook  of  your  assets,  resources,  projects  and 
services.  From  there,  you  can  plan  better,  manage  better.  You  can  make  informed  decisions,  smart  trade-offs  and 
wise  investments.  In  short,  you  can  budget,  forecast  and  track  with  insight,  accuracy  and  verve.  Yes,  verve.  And 
that's  everything  you  need  to  translate  IT  value  into  terms  that  bring  nods  of  enlightenment  from  your  business 
partners.  To  learn  more,  download  the  white  paper  "Generating  Premium  Returns  on  IT  Investments"  at  ca.com/itg. 


GOVERN  •  MANAGE  •  SECURE 


Transforming 
-  IT  Management 


